Understanding the GDPR: What We Know at the End of 2018

Since the GDPR act was unveiled in May, it has led many companies to rethink and restructure the way they outreach and communicate with their current and prospective audiences. The new, stricter guidelines left many companies in the dark about how it will affect their businesses.

There are three main reasons why you should care about the GDPR:

  1. Failing to comply will result in fines
  2. Even if you’re outside of Europe, it’s likely you will need to comply
  3. Your customer database will be more accurate

Ultimately, companies and businesses have had two years to bring their policies up to date, but complying with the changes hasn’t been easy for everyone. Some companies have opted down the route of emailing their customers about the changes to their terms and services, whereas others have had to shut down traffic from certain audiences. For example, the Chicago Tribune had to bar certain regions from entering their website because their website did not comply with European GDPR guidelines.

Who Does the GDPR Affect?

Understanding who the GDPR will affect and how can often be confusing, given the amount of misleading and often inaccurate information online. The ICO is the only source of information that you need to follow regarding the rules and regulations of the GDPR.

So, the information below has been taken straight from ICO and Elizabeth Denham, the Information Commissioner in the UK, to help shed some light on who the GDPR affects and what you can do to adhere to its guidelines.

Personal data – this affects all information that can be used to identify someone. This includes:

  •     Names
  •     Emails
  •     Titles (careers)
  •     Locations

This also applies to both automated and manual data and even pseudonymous or key-coded data. In essence, if your business or service collects information that has the power to specifically identify someone, then GDPR will apply to you.

Email Marketing – if you rely on collecting customer’s email addresses in order to contact them, then you’re going to need to rethink the way you do that.

For example, if you’re an IT company and you want to inform people that you have a sale on, you’re going to have to prove your customers have specifically stated they’re happy to be contacted by you. Simply put, this means you will have to gain their permission in order to contact them.

There are various ways you can do this, the most popular method is by sending an online form to fill out with checkboxes. This means the recipient(s) of this email have to consciously tick a box if they would like to be contacted by you (the boxes, by default, will always be unticked). If your customer fails to respond to your email, it will be seen as dismissive and you will have no right to contact them.

Failing to abide by this rule will result in a fine or penalty depending on the severity if the action.

Understanding Charities and GDPR

One of the more controversial issues that stemmed from the GDPR was its effect on charities.

Several charities have misunderstood what the rules of the GDPR, leading them to email their donors asking them if they can still contact them, or ‘opt-in’ to their subscription service. The problem is that they never had to do this. Charitable organisations, for the most part, can still contact their donors because they fall under what the GDPR has categorised as ‘legitimate interest’ (direct mail also falls under this rule). This is a ruling that basically allows charities to keep hold of donors’ information, legally. Adrian Beney offers a simple example of how legitimate interest works:

“Here’s what we intend to do with your data. You can tell us if you’d prefer us not to”.

In contrast to consent:

        “Here’s what we would like to do with your data. Tell us if that’s OK”.

This has led to several charities losing thousands of donors because they did not read or at least understand the rules of the GDPR. Charities that chose to take the ‘opt-in’ route inevitably lost donors because not everyone will have responded, meaning these donors can no longer be contacted.

Flybe, Morrisons and Honda Have Been Fined

Big corporations have been tripped up by the GDPR regulations by failing to follow fairly simple guidelines regarding unsubscribed customers.

Flybe sent an email with the subject line “Are your details correct?” a smart and innocent way to get people to respond. However, Flybe sent that email to 3.3 million people that had already opted out and were consequently hit with a £70,000 fine.

Honda were also fined £13,000 after they emailed 290,000 people who had opted out of their marketing emails. Morrisons, in a similar incident, emailed 290,000 people regarding their new “Match and More” point scheme, but 131,000 people of that 290,000 had already opted out. This set Morrison’s back £10,500.

Ultimately, GDPR will be good for businesses because of the way it’s made us think about our online data and privacy policies. It’s forced us to think a bit more about who, online, has access to our data and how it’s being used. You could argue that several business have been exploiting our data for years, but now the GDPR is putting a stop to that.

Additionally, because customers now have to ‘opt-in’ to receiving marketing emails, businesses will lose all of the ‘false’ customers they had collected over the years. This means that when they’re correlating data, they can be sure that every customer is legitimate and isn’t simply a name on the mailing list that’s been dormant for months or even years.

Advertisements
Some vector hands and objects for free design. An image from stockio.com

The HR GDPR Divide: SD Worx survey reveals GDPR has polarised HR

Today SD Worx, the global HR and payroll service provider, revealed that out of 1,800 HR and payroll professionals, 44% do not know what the General Data Protection Regulation (GDPR) is. However, of the 56% that are aware of the impending GDPR, 81% feel they will be ready by the May 2018 deadline.

The findings, conducted among nine European markets, show surprisingly polarised views when it comes to the new legislation.

Of the 56% of HR and payroll professionals that are aware of GDPR, the majority are collaborating with other departments or outsourcing providers. 84% of respondents revealed that they are getting help from other departments in the organisation, yet 73% believe that GDPR compliance would be easier if HR and payroll was outsourced. In addition, the survey found that 91% are likely to look for additional skills outside the organisation to help with GDPR preparation.

Of those that are aware of GDPR, 55% of respondents believe GDPR is a risk to the HR industry, leading them to implement various preparations. 68% of respondents are absorbing as much as possible on the subject and reviewing and updating all existing policies and processes related to data protection, and 49% are assessing the need for changes to current business relationships (including with data contractors).

Jean-Luc Barbier, International Managing Director at SD Worx, commented, “This survey has revealed the clear divide in the HR industry. Even though those who have heard of GDPR are preparing for GDPR and think they are likely to be ready by the deadline, the other half of the industry has not heard of GDPR. Therefore, you would assume that the ones who aren’t aware aren’t making the necessary changes to their department. It’s great to see that those who are aware are seeking skills to help them from a variety of sources, both internal and external. What this survey tells us though is that a significant amount of education still needs to be done.”

When it comes to GDPR-readiness in the nine markets, the survey also highlighted various differences between countries. For example, only 67% of respondents in Austria believe their HR team will be fully GDPR compliant by the deadline, whereas in Ireland the rate was 90%. In addition, when asked if outsourcing for the HR and payroll department will make becoming GDPR compliant easier, 56% of Swiss respondents said yes, whereas Belgium (85%) and the United Kingdom (73%) were much higher.

Although the HR industry seems to be polarised, for those who have heard of GDPR, the benefits are recognised. When asked what the key benefit of GDPR is in the HR and payroll industry, 71% believe improved data security will be the biggest benefit, whereas only 3% believe that GDPR will bring no benefits at all.

Q & A with David Green | The HR Tech Weekly®

People Analytics Is Core to the Future of the HR Function: Q&A with David Green

People Analytics Is Core to the Future of the HR Function

Today our guest is David Green, a true globally respected and award winning writer, speaker, conference chair and executive consultant on people analytics, data-driven HR and the future of work.

David is the Global Director, People Analytics Solutions at IBM Watson Talent. He is also the longstanding Chair, of the Tucana People Analytics conference series, the next edition of which – the People Analytics Forum, takes place in London on 29-30 November.

David has spoken at conferences and/or worked with people analytics leaders in over 20 cities in the past year including San Francisco, Sydney, London, Paris, Singapore, New York, Amsterdam, Moscow and Berlin. This affords David with a unique perspective and insight into what’s working, what’s not, and what’s forthcoming in the field of people analytics.

The interview is hosted by Alexey Mitkin, Founder, Publisher and Editor-in-Chief, The HR Tech Weekly® Online Media Co.

1. Hi David, and first of all thank you very much for this interview with The HR Tech Weekly®. The year of 2017 is approaching its end. What made a difference this year in the field of people management and HR technologies?

Thanks Alexey, it is a pleasure to speak with you. For me, 2017 has been a pivotal year in the field as the realisation that people analytics is core to the future of the HR function has become far more widespread. In one of his recent articles (see here), Josh Bersin described people analytics “as the lynchpin of success for HR in the next few years”, and I have to say I completely agree – although that probably doesn’t surprise you!

We still have some way to go in terms of widespread adoption and just as importantly in embedding analytics and data-driven decision making within organisational culture, but the acceptance that this is core rather than peripheral is a welcome momentum shift.

Elsewhere, the move from many companies to develop programs and technologies that personalise the candidate/employee experience in areas such as talent acquisition, onboarding, learning and mobility is also positive. It’s about time that we have rich and personalised experiences at work similar to those we already enjoy as consumers. Data and analytics plays a foundational role in this.

2. People analytics is an area of profound interest to business leaders. What do you see as the main trends in the people analytics space?

You are right to highlight the heightened interest levels in people analytics Alexey. I’d summarise the main trends as follows:

  • More and more organisations getting started with people analytics – 2017 seems to have been the year that the talking about when to start analytics stopped and the actual hard work in creating capability began for many organisations. So, the number of organisations in the early stages of their people analytics journeys is on the increase and many will face similar challenges in terms of data quality, skills and capabilities, stakeholder management/education and project prioritisation. Our recent IBM Smarter Workforce Institute research on HR Analytics Readiness in Europe demonstrated though that most organisations still have a long way to go.
  • Developing an analytical culture: this is key for organisations that want to develop sustainable capability in people analytics. This means exciting, equipping and enabling HR Business Partners, and clearly demonstrating and communicating the impact of people analytics initiatives within the organisation. This is the focus of many companies that have built initial capability and success in people analytics.
  • Ethics and privacy concerns: this continues to be the most important and challenging aspect for practitioners. Research from Insight222 reveals that 81% of people analytics projects are jeopardised by ethical and privacy concerns. With the EU GDPR legislation coming into effect in May 2018 and the emergence of new employee data sources, focus on this area will continue to be high.
  • The consumerisation of HR – as per my earlier point, many organisations that have developed people analytics capability are looking at ways to understand and improve the employee experience. In addition to the personalised machine-learning based technologies referenced earlier, this includes efforts to understand and analyse employee sentiment. You can’t do either of these things without analytics so those organisations that have already developed people analytics capability are in pole position to take advantage here.
  • Organisational network analysis (ONA) – interest in ONA has exploded in 2017 as organisations seek to better understand team effectiveness and productivity. Practitioners interested in this burgeoning area of people analytics should check out the work of Rob Cross, recent articles by Josh Bersin and vendors like TrustSphere, Humanyze and Worklytics. Expect interest in this area to continue to soar in 2018.

3. On the eve of People Analytics Forum 2017 could you slightly open the curtain on what makes an ideal agenda in modern HR analytics, workforce planning and employees insights then?

I always enjoy chairing the Tucana People Analytics World and People Analytics Forum events as the agenda is always cognisant of the fact that the diversity of delegates in terms of where they are with analytics varies widely. As such, the three tracks: Start (for those getting started), Grow (for those building capability and looking for deeper insight) and Advance (for advanced practitioners and those exploring new data sources) means there is something for everyone. This is hugely important as in my experience the people analytics community is highly collaborative and there is a mutual desire amongst practitioners for shared learning. The Tucana events provide this in spades.

4. It was heard that some attendees of conferences recently formed a viewpoint that the slow adoption of analytics has been because of a lack of practical cases delivered by speakers. Your point of view on the problem will be of great influence.

I haven’t really heard this viewpoint from many. I would argue the contrary in fact that most of the conferences I attend feature numerous and diverse case studies from practitioners. I think you need a balance of speakers from the practitioner, consultant, vendor and analyst communities as each provides a slightly different perspective – indeed much of the innovation in the space is coming from the vendor community. As such, at the conferences I chair, speak and attaned there is normally much to inspire delegates whatever their maturity level when it comes to people analytics. Of course, there is a distinction between being inspired and immitation as each organisation faces different business challenges and has unique cultures. If I could offer one piece of advice to practitioners, whatever their maturity level, it is to channel their efforts on the key business challenges that have the biggest impact within their organisations.

5. What new data-driven HR solutions are on your watchlist and why?

As I mentioned before much of the innovation in the people analytics space is coming from the vendor community and I always recommend to practitioners to keep abreast of the latest developments here. Data-driven companies to look at include: TrustSphere, Alderbrooke Group, Aspirant, Glint, Visier, Crunchr, Workometry, Peakon, OrgVue, Headstart, Worklytics, Humanyze, Qlearsite, One Model, hiQ Labs, Cultivate and StarLinks; and those are just the ones I can remember off the top of my head!

If you’ll forvive the self-promotion, I would like to add that IBM is also doing some groundbreaking work in this space through bringing Watson to HR, particularly in the talent acquisition and the employee experience areas – see more here.

6. What advice would you give to HR professionals looking to boost their careers within the people analytics space?

Well, firstly you should get yourself along to the People Analytics Forum and read my articles on LinkedIn!

Seriously, analytics is a core capability for the future HR practitioner and it won’t be long before the likes of CIPD and SHRM build this into their educational programs. Until then, find some courses (like the Wharton School course on Coursera), attend some conferences, read some books (like The Power of People and the Basic Principles of People Analytics), and seek to learn from analytics professionals both in and outside of HR.

For me, HR is one of the most exciting places in business to work in at the moment and the increased use of analytics and data-driven decision making is one of the reasons why I believe this to be the case.

Employee Data and GDPR. What You Need to Know | Featured Image

Employee Data and GDPR. What You Need to Know

Employee Data and GDPR. What You Need to Know | Main Image

Every organisation that processes personal data must comply with the new GDPR rules that take effect in May 2018. There are no exemptions based on a size or sector, no staggered dates for compliance and, based on the current performance of the body responsible for policing data protection legislation, a rock-solid guarantee that the new regulations will be enforced and, where companies fall short, fines imposed.

Those with HR and people responsibilities are, without a doubt, at the front line of GDPR compliance. They work with personal data all the time: in fact, their jobs could be said to rely on it.

As custodians of employee information, they’ll be the ones who will need to audit existing processes; validate their own security and that of third parties that they share HR information with such as HR software and payroll providers; take on at least some of the responsibility for compliance training and monitoring and equip themselves to report any data breaches involving employee data, as well as respond to ‘subject access requests’ from employees.

Where should you start?

For many HR teams getting to grips with GDPR is understandably daunting. Not least, because so much has been written about the higher standard of consent for processing personal data that the legislation requires – and the cost of getting it wrong.

At first glance, asking employees for consent seems reasonable. You may already let employees know why you ask them for personal information and what you use it for.

However, when it comes to collecting and processing employee data in the context of GDPR, a reading of the regulations indicates that the focus on consent is misleading and could, in fact, be damaging.

[Box out]

Under GDPR, consent is defining as meaning “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

In an employment context, relying on consent is problematic for three main reasons:

  1. It’s administratively complex. Since consent needs to be ‘specific’ and shown by a ‘clear affirmative action’. A catch all clause in an employment contract, or on the login screen to your HR software won’t cover it.
  2. It’s unlikely to be un-enforceable in law. In an employment relationship, demonstrating free consent is almost impossible since the relationship is not one between equals. By refusing consent, an employee may feel that they put their relationship with their employer in jeopardy.
  3. By asking an employee to give their consent to processing information, you may inadvertently give them stronger rights to have their details deleted. What would be the business implications if, for example, an employee demanded that you delete data about their absences (sickness or otherwise), performance, skills, perhaps even their address. It may seem unlikely, but it’s possible.

Legitimate business interest

Instead, HR should rely as far as possible on legitimate business interest. This should cover the data that is required to ensure the employer fulfil their contractual obligations to their employees. For example, to pay them, award paid time off, manage grievance or health and safety issues etc. It will also extend to issues relating to the effective running of the business, such as monitoring absences, performance reviews or skills audits (with a caveat in relation to automated decision making – which is also covered by GDPR).

Legitimate interest cannot be applied in all cases. For example, processing employee information related to wellness initiatives, while laudable, is likely to require consent, as is sharing personal data with third parties so they can market their services to your employees – however attractive the offer.

An essential first step for HR, therefore, is to audit and document employee information: what you gather and why, where you store it, how you ensure it is accurate and up to date and who you share it with. This forms the foundation for the other activities that HR – or someone else in the organisation – will need to address for GDPR compliance.

The ICO (Information Commissioner’s Office) has put together a handy 12-point plan for anyone with day to day responsibility for data protection, much of which is relevant to HR.

Beyond the data audit, top priorities for HR are likely to include: updates to privacy notices, review of current consent approaches, awareness and training activities, internal and partner data security reviews, processes for reporting data breaches and a cost-effective response to subject requests for information.

For HR teams making do with spreadsheets and paper-based files, GDPR may also provide the impetus to modernise personnel record keeping. In a side note to the legislation, the regulator recommends making use of employee self- service HR software, so that employees can both see, and where appropriate correct, the data their employer holds on them.

Consolidating HR information in a single, secure HR software system has other benefits for GDPR compliance. It’s generally easier to demonstrate that you have appropriate security in place if personnel records are held behind a secure login than in spreadsheets or office filing cabinets and approval workflows and audit capabilities make tracing and tracking infinitely easier than trawling through historic emails.

Although GDPR will not be in force until May 2018, the new regulations will have significant implications for the way that companies manage their HR data. HR need to start to prepare now.

Please note: this article is based on our understanding of the requirements of GDPR and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation.  You should refer to the legislation and, if in doubt, work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.


If you want to share this article the reference to Sue Lingard at Cezanne HR Software, and The HR Tech Weekly® is obligatory.