Two business leaders discuss their game plan for the EUâs upcomingÂ data privacy regulations.
By Marta Chmielowicz
The EU General Data Protection Regulation (GDPR) is onÂ the horizon, going into effect from 25 May 2018 onward.Â Forcing companies to scrutinise how they handle andÂ process customer and employee data, the GDPR is turningÂ data protection from an afterthought to an essentialÂ business function. No businessâlarge or smallâwill beÂ left untouched.
In order to understand the impact of the GDPR on theÂ world of business, HRO Today Global interviewed a duo ofÂ experts who offer two very different perspectives: that ofÂ a small business owner and entrepreneur, and that of anÂ HR director at a global company.
HRO Today Global: How have you prepared for theÂ forthcoming GDPR?
Linda Smith, founder and director, Chartwell PeopleÂ Solutions Ltd.: As the founder of a new small business,Â Iâve spent a lot of time in the last few months researchingÂ and understanding the new regulations. From this, IâveÂ developed a set of practical policies and proceduresÂ specifically for my business.
For me, this is about more than just complianceâitâsÂ about building trust. The credibility and reputation ofÂ any business, especially a new one, is vital. OrganisationsÂ should have materials and policies in place to handle aÂ data protection issue if it arises.
Charlotte Sword, partner and global head of HR, Foster +Â Partners: The practice set up a working group to create aÂ project plan and prioritise actions. These actions includedÂ identifying data we currently hold and the legitimateÂ reason for holding such data. We also looked at ourÂ suppliers and how they control and hold data.
HROTG: What are the key challenges that youâveÂ encountered during your preparations?
Smith: Typically, small businesses and entrepreneurs donâtÂ have access to legal firms or the budget to obtain specialistÂ advice. For them âtime is money,â so spending preciousÂ hours to understand what these new regulations mean forÂ their business just isnât practical or cost effective. It takesÂ the focus away from delivering to clients.
Itâs easy to be confused and overwhelmed by theÂ information out there. Iâve seen lots of small businessÂ leaders and entrepreneurs use discussion boards andÂ their networks to share knowledge and tips on how toÂ implement the new regulations. Itâs positive to see howÂ collaborative small businesses can be.
Sword: The key challenges were around understandingÂ the requirements and how best to deal with historicalÂ information and timescales for holding a variety of data.Â There are different and varying requirements that makeÂ this quite difficult and complex. This is exacerbated whenÂ you consider paper files.
HROTG: In light of the recent Facebook data breach byÂ Cambridge Analytica, do you feel that these regulationsÂ will be beneficial and worth the effort in preparation?
Smith: The recent scandal certainly highlighted theÂ challenges of operating in a global environment where theÂ power of social media touches all of our businesses andÂ influences our views about credibility and ethics. NobodyÂ wants to feel they have been misled by an organisationÂ or think their data may have been used for an entirelyÂ different or unethical purpose.
Building trust with employees and individuals is soÂ important. I see the increased responsibility to beÂ transparent about the personal data organisations holdÂ as positive. However, the technology and systems neededÂ to ensure compliance bring additional time and costÂ demands.
Sword: I think these new regulations will be beneficial toÂ protecting individuals. However, it does come at a timeÂ when there are a lot of legislative changes underway.
HROTG: How are the GDPR principles of âprivacyÂ by designâ and âprivacy by defaultâ affecting yourÂ companyâs culture and philosophy, and how are youÂ communicating this to employees?
Smith: These principles mean organisations need toÂ embed strong governance and ethics in day-to-dayÂ working practices. Being transparent and honest aboutÂ the data you hold and why you need it will be critical toÂ maintaining a positive and open culture.
Knowing that new products and services will now haveÂ the strictest privacy settings automatically applied isÂ positive and will build trust. It will be interesting to seeÂ if companies openly communicate this as a way to boostÂ client confidence.
Sword: The privacy statement is being communicatedÂ widely throughout our business and we have compiledÂ a training course to explain requirements and theÂ importance of dealing with data in a sensitive andÂ confidential manner.
It is too early to understand the full impact that not beingÂ able to access data as easily as before will have on cultureÂ and the way it is perceived by individuals within theÂ business. Our people tend to be quite open and time willÂ tell the impact after the restrictions are felt.
HROTG: How will the role of HR change as a result ofÂ GDPR?
Smith: Keeping on top of the regulations means beingÂ disciplined and committed to invest regular time toÂ maintain ongoing compliance. Of course, the newÂ regulations mean data retention and destruction policiesÂ need to be embedded in day-to-day working practices.Â Ensuring this actually happens is not just the responsibilityÂ of HR, but all business leaders across the organisation.Â Everyone has an important role to play to ensure goodÂ practice and a positive culture of respecting personalÂ data. I know some business leaders have sent messages toÂ their teams reinforcing their support, highlighting dataÂ protection is critical to client and employee trust andÂ confidence.
On a practical level, there are many occasions whenÂ employees or individuals ask an HR department for oldÂ information. The new regulations mean this informationÂ is likely to beÂ destroyed. So, aÂ desire to be helpfulÂ could lead to aÂ breach of complianceÂ and possibly aÂ complaintâHRÂ teams need to watchÂ out! There could beÂ an uncomfortableÂ transition periodÂ where HR teamsÂ need to clearlyÂ communicate whatÂ they can and cannotÂ do to help.
Sword: I thinkÂ HR will become aÂ gatekeeper of data,Â responsible forÂ pushing back to theÂ business regardingÂ the necessity of dataÂ release and control.Â The fear is the perception of HR as a function that policesÂ the business rather than a function that enables success.
HROTG: What do you predict will be the greatest businessÂ impact of GDPR?
Smith: The new regulations mean significantly larger fines,Â and all organisations will want to avoid the cost and badÂ publicity. The news that Cambridge Analytica is no longerÂ operating shows how quickly client confidence can be lost,Â and itâs sad to see employees lose their jobs.
Enterprises face many demands on their time and budget,Â and the GDPR will undoubtedly increase the need toÂ document and follow consistent working practices. ThisÂ has the potential to impact productivity in the shortÂ term. The new regulations also increase the rights ofÂ individuals, so it will be interesting to see if companiesÂ receive more data subject access requests.
Sword: I think data maintenance, administration, andÂ auditing, among others, will become more onerous. Also,Â data subject access requests may be used more frequentlyÂ to check business compliance.