Two business leaders discuss their game plan for the EU’s upcoming data privacy regulations.
By Marta Chmielowicz
The EU General Data Protection Regulation (GDPR) is on the horizon, going into effect from 25 May 2018 onward. Forcing companies to scrutinise how they handle and process customer and employee data, the GDPR is turning data protection from an afterthought to an essential business function. No business—large or small—will be left untouched.
In order to understand the impact of the GDPR on the world of business, HRO Today Global interviewed a duo of experts who offer two very different perspectives: that of a small business owner and entrepreneur, and that of an HR director at a global company.
HRO Today Global: How have you prepared for the forthcoming GDPR?
Linda Smith, founder and director, Chartwell People Solutions Ltd.: As the founder of a new small business, I’ve spent a lot of time in the last few months researching and understanding the new regulations. From this, I’ve developed a set of practical policies and procedures specifically for my business.
For me, this is about more than just compliance—it’s about building trust. The credibility and reputation of any business, especially a new one, is vital. Organisations should have materials and policies in place to handle a data protection issue if it arises.
Charlotte Sword, partner and global head of HR, Foster + Partners: The practice set up a working group to create a project plan and prioritise actions. These actions included identifying data we currently hold and the legitimate reason for holding such data. We also looked at our suppliers and how they control and hold data.
HROTG: What are the key challenges that you’ve encountered during your preparations?
Smith: Typically, small businesses and entrepreneurs don’t have access to legal firms or the budget to obtain specialist advice. For them “time is money,” so spending precious hours to understand what these new regulations mean for their business just isn’t practical or cost effective. It takes the focus away from delivering to clients.
It’s easy to be confused and overwhelmed by the information out there. I’ve seen lots of small business leaders and entrepreneurs use discussion boards and their networks to share knowledge and tips on how to implement the new regulations. It’s positive to see how collaborative small businesses can be.
Sword: The key challenges were around understanding the requirements and how best to deal with historical information and timescales for holding a variety of data. There are different and varying requirements that make this quite difficult and complex. This is exacerbated when you consider paper files.
HROTG: In light of the recent Facebook data breach by Cambridge Analytica, do you feel that these regulations will be beneficial and worth the effort in preparation?
Smith: The recent scandal certainly highlighted the challenges of operating in a global environment where the power of social media touches all of our businesses and influences our views about credibility and ethics. Nobody wants to feel they have been misled by an organisation or think their data may have been used for an entirely different or unethical purpose.
Building trust with employees and individuals is so important. I see the increased responsibility to be transparent about the personal data organisations hold as positive. However, the technology and systems needed to ensure compliance bring additional time and cost demands.
Sword: I think these new regulations will be beneficial to protecting individuals. However, it does come at a time when there are a lot of legislative changes underway.
HROTG: How are the GDPR principles of “privacy by design” and “privacy by default” affecting your company’s culture and philosophy, and how are you communicating this to employees?
Smith: These principles mean organisations need to embed strong governance and ethics in day-to-day working practices. Being transparent and honest about the data you hold and why you need it will be critical to maintaining a positive and open culture.
Knowing that new products and services will now have the strictest privacy settings automatically applied is positive and will build trust. It will be interesting to see if companies openly communicate this as a way to boost client confidence.
Sword: The privacy statement is being communicated widely throughout our business and we have compiled a training course to explain requirements and the importance of dealing with data in a sensitive and confidential manner.
It is too early to understand the full impact that not being able to access data as easily as before will have on culture and the way it is perceived by individuals within the business. Our people tend to be quite open and time will tell the impact after the restrictions are felt.
HROTG: How will the role of HR change as a result of GDPR?
Smith: Keeping on top of the regulations means being disciplined and committed to invest regular time to maintain ongoing compliance. Of course, the new regulations mean data retention and destruction policies need to be embedded in day-to-day working practices. Ensuring this actually happens is not just the responsibility of HR, but all business leaders across the organisation. Everyone has an important role to play to ensure good practice and a positive culture of respecting personal data. I know some business leaders have sent messages to their teams reinforcing their support, highlighting data protection is critical to client and employee trust and confidence.
On a practical level, there are many occasions when employees or individuals ask an HR department for old information. The new regulations mean this information is likely to be destroyed. So, a desire to be helpful could lead to a breach of compliance and possibly a complaint—HR teams need to watch out! There could be an uncomfortable transition period where HR teams need to clearly communicate what they can and cannot do to help.
Sword: I think HR will become a gatekeeper of data, responsible for pushing back to the business regarding the necessity of data release and control. The fear is the perception of HR as a function that polices the business rather than a function that enables success.
HROTG: What do you predict will be the greatest business impact of GDPR?
Smith: The new regulations mean significantly larger fines, and all organisations will want to avoid the cost and bad publicity. The news that Cambridge Analytica is no longer operating shows how quickly client confidence can be lost, and it’s sad to see employees lose their jobs.
Enterprises face many demands on their time and budget, and the GDPR will undoubtedly increase the need to document and follow consistent working practices. This has the potential to impact productivity in the short term. The new regulations also increase the rights of individuals, so it will be interesting to see if companies receive more data subject access requests.
Sword: I think data maintenance, administration, and auditing, among others, will become more onerous. Also, data subject access requests may be used more frequently to check business compliance.