Safeguarding data privacy is the responsibility of all staff, not just those in HR or IT

The huge reliance organisations have on data, coupled with tough new privacy laws in many parts of the world and the growing threat from cyberattacks, mean safeguarding information has become an increasing part of the HR remit.

It’s also something that many HR teams have yet to fully get to grips with. According to the Ius Laboris forces for change 2020 survey, 69 per cent of HR professionals say their business does not currently have all the necessary processes, policies and governance in place to process their employee data properly. Despite this, just 8 per cent ranked data privacy as one of their top challenges for the year ahead.

“New technologies offer avast range of opportunities. However, they often also collect a huge amount of personal data,” says Roberta Papa, partner and employment law specialist at Blesi & Papa, Ius Laboris Switzerland. “When evaluating the implementation of any new technologies, employers should pay attention to compliance with data protection laws. Does local law allow the collection and processing of personal data and is it protected from unauthorised access? Is data compliance ensured if data processing is outsourced?”

The level of fines handed down to organisations that have failed in their data responsibilities makes it easy to see why this must be a high priority, especially within the European Union, where the General Data Protection Regulation (GDPR) came into force in May 2018 and brought with it the prospect of fines of up to EUR 20 million or 4 per cent of turnover. And regulators are starting to use those powers: in France, the regulator (the CNIL) issued a EUR 50 million fine to Google for a lack of transparency, insufficient information provided to customers and the absence of an appropriate lawful basis for processing personal data.

Flavius Plesu, chief executive of OutThink, which uses software to identify high-risk employee behaviour, says: “The financial penalties that can be imposed under the GDPR, coupled with potentially unlimited reputational and operational damage caused by a data breach, should be enough to make organisations initiate data security programmes.”

Depending on where organisations are based in the EU, the GDPR either introduces new responsibilities or enforces existing ones around the protection of data and the rights of staff.

“The major difference with the GDPR is the fact it is now incumbent upon the organisation to ensure it respects and adheres to the data protection rights afforded under this new law,” says Steve Wright, chief evangelist at the Data Protection World Forum and a partner at Privacy Culture Limited.

“Examples of the new rules include the right to be forgotten, or erasure once an employee has left the organisation, assuming there are no other legitimate grounds for retaining the personal data, such as tax laws or health and safety registers.”

An ongoing task

Philip Nabben, partner at Bronsgeest Deur Advocaten, Ius Laboris Netherlands and chair of the Ius Laboris privacy expert group, warns against the misconception that data privacy is a one-off project. “In the period prior to the implementation of the GDPR, the privacy teams of the various Ius Laboris offices were overloaded with questions about data privacy and how to become GDPR compliant,” he says, “but once templates, policies, notices and the like were put into use, and 25 May 2018 passed, fewer of these requests came in. However, putting data privacy documents in place is only one step out of many.”

Beyond that, there is a need within every organisation to embed good working practices throughout the whole structure and ensure people instinctively use them in their everyday work. This may mean questioning, for example, whether it is really necessary to collect new information when doing a new project. What would be the purpose of holding it and do we have a good enough means of storing it? How will we ensure we delete it after an appropriate period – and how long should we be keeping it? These questions need to be instinctively top of mind for employees in every department and at every level of the company – not just those tasked with responsibility for data protection.

However, Nabben points out that although the new data privacy rules were widely feared in the months before May 2018, they have in fact generated much greater awareness about data privacy in general. This feeds into the ongoing work of embedding good practice.

“And it is a good idea to review the documents and processes put in place when the GDPR came into force on an ongoing basis,” says Guillaume Bordier, partner at Capstan Avocats, Ius Laboris France. “Companies should not shy away from asking whether the contractual confidentiality clauses and data protection policies put in place then are actually clear and complete enough to work effectively.”

It is also vital to ensure that staff receive suitable training regularly to instill the right messages. “HR not only needs to help procure training that’s truly effective, but also ensure it’s delivered to employees regularly,” says Peter Galdies, managing director at DQM GRC. “This includes ensuring that joiners and temporary staff receive training prior to interacting with the organisation’s personal data.”

Turning to what can happen further down the line, Bordier highlights the need for strategies to address data breaches: “Are appropriate measures taken to remedy them and punish violations of data protection policies – including against former employees?”

Papa emphasises the importance of giving employees sufficient time to adapt to any new technology: “Asking staff to use new technology should not lead to discrimination, in particular of older employees, who may need more time to adjust.”

Supplier risk factor

In Europe, scrutiny should also be applied to suppliers, particularly new ones that may have come nboard since the introduction of the GDPR. “They are a big risk factor,” says Öykü Işık, assistant professor of information systems management at Vlerick Business School in Belgium. “As employee data processors on behalf of the HR team, the GDPR also holds these suppliers accountable. It is the responsibility of HR to ensure they are working with suppliers that are compliant.”

However, there can be a lack of clarity over just who is responsible for taking on data protection responsibilities. “Data is still very much seen as an IT job,” says Helen Armstrong, chief executive of Silver Cloud HR. “Every HR team should have a data specialist to manage GDPR compliance on an ongoing basis, as well as manage the flow of people data around the business through other business systems.”

Technology can play a role in ensuring compliance with data rules. The use of the cloud, helping organisations to store sensitive data centrally on a secure platform, can help reduce the risks associated with data being held locally or shared inappropriately.

New tools are coming on to the market to help firms manage and demonstrate their compliance, says Cécile Georges, global chief privacy officer at ADP, “including tools to help companies manage their cookies or manage the requests of employees or former employees to access their data or have it deleted,” she explains.

Yet it would be a mistake to rely entirely on technology, warns Kartikeya Bajpai, assistant professor of management and organisations at Emlyon Business School in France. “It is important to remember that the principles underlying the GDPR are more about data stewardship than technical fixes,” says Dr Bajpai. “Educating HR personnel how to apply these principles in their day-to-day work is perhaps more important than technological solutions.”