Risk and Compliance

Creating a Culture of Compliance

Ways HR can mitigate risk in the coming era of the GDPR.

By Caroline Tahon

With the Global Data Protection Regulation (GDPR) coming into full effect this May, many organizations are updating their technology and processes to ensure compliance. What they may be overlooking, however, is the human aspect of information privacy and security.

When done right, prioritizing a shift toward a culture of compliance can have benefits that extend well beyond the avoidance of repercussions. Developing an understanding and responsibility among employees on how to handle sensitive information, what counts as sensitive information, and what their own rights are can instill confidence and build trust among both employees and customers.

But how can companies accomplish this?

From Tech to Talk

In the coming months, there will be a huge focus on making sure the correct systems and patches are in place for GDPR compliance. Employees are likely to hear words like “multi-factor authentication” and “anonymization” if their watercooler is anywhere near the IT department. But that conversation in itself may pose a compliance risk. Verbal conversations can be overheard and printed documents can be left in public areas, so in order to truly ensure compliance, data management processes must go far beyond IT. Organizations must think about how information is passed around and managed, and how those processes could expose sensitive information to others.

While technologies put in place for GDPR will ensure that personal data is only captured and released with the owner’s consent, the consent may only extend to that particular release of data. Unless explicitly stated in the data consent form, a business is likely no longer compliant with GDPR if someone prints out that information and passes it around the office. Organizations need to think about potential repercussions of passing around personal information, either electronically or as a printed copy, where employees may take it, send it, or leave out for any visiting eye to see.


Building a culture of compliance begins with training and change management. If organizations don’t provide training on the new systems and expectations, they can fall out of compliance purely due to lack of understanding. Companies that don’t already have a culture that instills caution around handling personal data can begin by educating their workforce about the fact that all the information they access on a daily basis has value and must be treated with care. Many people understand that financial data is personal and highly confidential, and this can be used as an example to illustrate that all information must be handled with that level of discretion. To some, a home address may be just as sensitive as salary information.


In the era of remote work, many networks are set up to make the collection of information easy and seamless. However, it’s important to remember that with added convenience comes added risk -the more endpoints there are to information, the more doorways there are for data to slip out due to a malicious actor or a clumsy leak.

To lessen this risk, organizations that adopt a culture of compliance need to emphasize that data within the organization can only be distributed on a need-to-know basis. For example, payroll employees can have access to personal data, but training executives who are also within the HR department and probably sit right next to those handling payroll don’t need access to that information. That way, those training executives need not worry about being the gateway for that information to fall into the wrong hands. This need-to-know policy should instill a level of accountability within each employee and an understanding that whatever information they have access to is something they must take great care of.


Employees who have been trusted with personal data need to be sure they can reach all of it, no matter how old, and at a moment’s notice. Under GDPR, anyone whose data is stored within a company’s systems can ask for their information at any time, so employers need to have the IT capabilities and personnel in place to extract that information upon request. This new regulation presents an opportunity to build relationships. For example, an ex-employee reaching out for details could become a boomerang employee if that transaction is handled with care and creates renewed trust.


IT and HR functions need to be tightly aligned in their goals and values as they prepare for GDPR. HR needs to understand what IT is doing, such as where the flow of data goes and what system processes are in place for employees to maneuver around. IT needs to be familiar with HR processes so they can ensure that HR is handling data in a compliant and secure way. And if an emergency ever comes, collaboration between these teams ensures that people are comfortable working together and have a plan in place that everyone is on board with.

Support for Success

Organizations adapting to this new regulation may have a lot of questions along the way, and they shouldn’t try to go it alone. Talking to others within the industry can uncover new options and processes that companies can adapt to suit their organization’s needs. For even more support, employers can consider bringing in a partner that can help them evaluate, plan for, and execute their new data management processes and support compliance.

Overall, business success in this new era of compliance will be largely based on organizations’ attitudes. If a company views GDPR as a room of lasers to maneuver through, it will bring negativity into its workplace. Instead, GDPR should be viewed as an opportunity to increase trust with employees, customers, and everyone companies engage with.

Caroline Tahon is the senior director of legal and data privacy at SAP SuccessFactors.

Tags: Culture, Data & Analytics, EMEA, Magazine Article, March-2018, Risk & Compliance

Recent Articles