3 challenges for HR to think about as GDPR takes effect
HR may be familiar with the importance of data privacy, but it isn’t usually focused on the specifics of the process. It may need to be after May 25.
The General Data Protection Regulation (GDPR) goes into effect Friday, May 25 — and you're not alone if you still don’t quite understand how it will impact your business.
But change is coming, even for the confused (and those in the U.S.), and you need to be moving now, not later, Didier Elzinga, founder and CEO of Culture Amp, told HR Dive in an interview. Perhaps an omen of the errors of procrastination, the GDPR’s official website was down for much of the week — including at press time.
"Any processes or changes that need to happen, need to happen now," Elzinga said. "You can't just start it on the 25th."
GDPR's reach only technically extends to the EU, but it will also impact U.S. employers that have personnel within the EU or that have a location within the EU. In response, some employers, including Microsoft, are choosing to adapt their protocols worldwide.
While HR is familiar with the importance of data privacy, the department isn't usually focused on specifics of the process such as when and how the data is gathered, unlike marketing or other customer-centric departments. GDPR will require that HR understands that as of Friday, even though the department is "a decade or so" behind marketing in that regard, Elzinga said.
"You're now basically seeing the beginning of HR going into this like marketing had to years ago," he added.
GDPR is a massive regulation — but the aspects of it that will challenge HR the most may be building blocks to how data will be approached worldwide in the future. What should HR managers, even those in the U.S. with only domestic employees, be thinking about at the final hour? Read on.
Understand the right to personal data — including erasure
The amount of power individuals will have over their data will be game-changing, experts told HR Dive. HR managers, in particular, need to be aware of the new power European employees will hold. GDPR grants a number of rights, including the right to correction, the right to erasure and the right to portability.
"It's a real challenge and a fundamental shift in how we view data, especially here in the U.S.," Colleen Rynne, senior compliance advisor at Ultimate Software, told HR Dive in an interview. "Companies are not used to individuals saying 'I want my personal data erased.'"
Documentation and process building is going to be key for many of these new regulations, especially since employers will still reserve the right to validate certain requests. A manager will need to know who to go to when a request comes in, for example.
"It is not specific to one subset of individuals...it's everyone," Rynne said. Marketing, communications, sales, legal, HR and all the rest need to know where their data resides, when it is needed and what to do if they receive a data request.
The request for erasure is one of the bigger challenges for employers, Rynne noted. If an individual is terminated, HR is going to have to figure out where any data connected to that person originated from and where it resides so that it can be properly disposed of.
Luckily, employers do have some recourse. "Particularly with right of erasure, the request is not absolute," Rynne said. "If a company has a legal obligation to maintaining that data, they have the right to deny that request."
But, to be prepared for that, HR will need to know what data that may apply to.
Understand why data is needed — or not
In essence, HR is going to have to change its mindset. As individuals seek greater control over their data, employers are going to have to consider which data are necessary to keep through the course of employment, Rynne said — no easy task. HR handles mountains of confidential data and understands the consequences of handling it wrong, but the GDPR requires a specificity HR is likely not ready for.
"They have the right intent," Elzinga said. "But this is going to have a level of sophistication that maybe they haven't been required to give."
Traditionally, departments may have erred on the side of keeping all data. Now, employers may have to carefully consider how and why they keep each piece of personnel data they have obtained — and that is where Elzinga expects to see the biggest shift.
"We're increasingly blurring the lines of what we expect as a consumer versus what we expect as an employee, which has been separate for a long time," Elzinga said. Even the definition of employee could be extended to everyone you may be interviewing for a job, which further complicates the issue.
What will you be doing with all that information? What will you need to keep long-term and what will you be able to get rid of? GDPR will expect you to know.
Make employee guidance — and consent — clear
Communication is going to be key entering GDPR’s enforcement phase. It should be clear, concise and without legalese. Rynne suggested having someone else review your data communications; if a "reasonable person" cannot understand it, go through and correct it now, she said.
Employers may also experience considerable struggle over obtaining or finding consent for how data will be used. No bait-and-switch allowed; consent from employees will have to be fully informed as to the exact parameters of what the data may be used for, Elzinga said.
"You have to basically understand how and where you are processing that data," he said. "For multinational companies, this can be quite tricky."
That means HR will have to be in communication with its vendors about GDPR compliance, as well. Data enrichment tools, employee screening platforms and background check providers all must know how they are obtaining consent for data use and inform employers of that, too.
"People have to take an active role in finding out where the consent is coming from," Elzinga said.
GDPR actually requires that companies appoint a data protection officer, or someone focused on ensuring compliance with many of the GDPR’s directives. The person serving in that role can perform other duties but is not supposed to have a "conflict of interest," so it likely can't be a chief security officer, for example, Elzinga said. While this is largely a concern only for companies that do business or manage people directly in Europe, HR is responsible for figuring out how that role may function within the business.
Many companies may not be touched by GDPR regulations in a direct way just yet, but employers can see the writing on the wall.
"The broad trend is that companies are being required to treat the data that they keep with much more care," Elzinga said. And that alone could bring sweeping change everywhere — not just in Europe.
Follow Kathryn Moody on Twitter