Other parts of this series:
In my first post, I explained how the upcoming General Data Protection Regulation (GDPR) will affect companies inside and outside the borders of the European Union and United Kingdom once it comes into effect on 25 May 2018.
To recap, GDPR aims to give citizens control over how their personal data is obtained, processed, used and stored. It will simplify the regulatory environment for international business by unifying regulation within the EU.
In the case of a data breach, companies will have to pay penalties of 4 percent of their annual global turnover or €20 million, whichever number is greater. GDPR stipulates citizens’ rights to data access, erasure, portability, protection as well as privacy by design, and calls for the appointment of a data protection officer (DPO) to oversee these actions.
Data subject rights vs data controller obligations
The wonderful thing about GDPR is that it aims to give clear, simple instructions on the rights of individuals as data subjects and the obligations of both data controllers and processors. It also leaves room for legal departments to interpret the regulation. This means it is absolutely critical that you are closely engaged with your legal officers so that you are able to prioritize your plan of action with their support.
Data subjects have the rights to:
- Be forgotten;
- Give consent;
- Not be profiled;
- Suspend data use;
- Gain access to own data;
- Explanation of usage or to be informed;
- Remediation; and
- Be erased or deleted.
Data controllers and processors have an obligation to:
- Notify data subjects of all usages or changes;
- Conduct regular impact assessments;
- Put systems in place to protect data transfers outside the European Economic Area (EEA);
- Consider applying encryption, pseudonyms or masking;
- Adhere to principles of privacy by default or design; and
- Ensure data protection avoids breaches.
HR: get your house in order with these practical steps
- Change your organization’s talent strategy
GDPR is a principles-based regulation, which means international compliance officers (ICOs) will look at how well HR equips organizations with the necessary skills and behaviours. Individuals with data-privacy skills are in hot demand and HR will have to develop the right talent strategy when it comes to hiring and retaining people for the organization’s data protection office (DPO). At the same time, it’s critical to train senior managers on the key principles and requirements of GDPR.
- Embed GDPR principles across the organization
Training, policies and procedures won’t be enough; GDPR requires a complete change in mindset from everyone across the organization. From C-level to interns, everyone needs to know what is expected of them when it comes to handling personal data. This is where change interventions can modify culture and behaviour, helping to foster a sense of responsibility and care in the workforce in how they handle personal data. This is vital in ensuring that privacy by default and by design is embedded across the organization.
- Make changes to HR policy, processes and procedures regarding employees’ data
HR will have to maintain a log of where employees’ personally-identifiable data is stored, how it is using the data and what the process risk levels are. It must be able to identify, assess and report any data breaches to current, past and prospective employees. GDPR will also apply to any third parties used in the talent ecosystem, including recruitment, remuneration, benefits, etc. Having a clear picture of data elements and data lineage will help in responding to queries related to GDPR.
- Adapt to employees’ new data privacy rights
HR needs to be aware of employees’ new rights as data subjects, and it must ensure that past, current and prospective employees give explicit consent for the use of their personal data. This will likely require new data privacy statements to be circulated and adopted across the organization.
- Ensure all technical teams have the right skills and tools for GDPR
The HR chief information officer must make sure the organization has the right tools to identify and report where and why personal data is stored, as well as the risks involved. The CIO must also be able to demonstrate the technical operations and systems function by the principles of privacy by design and by default. Accenture has developed machine-learning tools that support ongoing data discovery and GDPR Article 30 reporting.
- Make a mind shift from challenge to opportunity
GDPR may seem like a burden, but it also holds great opportunity to reduce cost and unlock new value. Minimizing employee data means a reduction in cost and data noise by trimming the records that hold no value. This then allows data teams to focus on the maintenance and accuracy of fewer data fields. Holding third parties to account creates more value from data sharing through a redefined data strategy. New categories of data can give companies more comprehensive profiles for running enhanced analytics on the talent pool – therefore GDPR can be leveraged for more good within the organization if managed appropriately
All in all, GDPR will enable organizations to become more agile by streamlining data processes. To learn more, get in touch or have a look at these useful resources: