Ah, remember the heady days of May, when Harry and Meghan tied the knot and our inboxes groaned from the assault of the GDPR-related messages? Happy times!
The GDPR (General Data Protection Regulation) emails have thankfully dried up following the passing of the deadline. But the need to comply has not. There is an onus on HR to protect employee data under these rules. Yet doing so is seldom straightforward, considering a lot of this data is processed and hosted by HR technology providers. So how should HR work with these suppliers to ensure that employee data is protected and all parties remain compliant?
“HR is dependent on tech providers providing solutions,” says Helen Armstrong, managing director of HRIS consultancy Silver Cloud HR. “Some are doing this better and quicker than others; it depends on their system. Without the necessary system processes, HR teams are left to work out a manual workaround. But tech providers must enable compliance, so HR should put pressure on them to deliver as soon as possible.”
One problem is that HR teams “may have to implement an upgrade if they have an on-premise system to receive the GDPR functionality. This is something they may not have planned – or budgeted – for”.
Many HR technology providers, Armstrong explains, are working on the issue of how to purge data or enforce the ‘right to be forgotten’ principle that the GDPR dictates. Yet it’s still early days and getting it right will take time. In future, she hopes to see software providers add settings so that system administrators can automate this purging, by setting a time limit on personal data fields that will automatically purge data without manual intervention. For instance, these limits could mean the automatic deletion of an employee’s bank details one month after leaving the organisation.
So what are the key questions HR should be asking of its suppliers?
“Start by asking them to tell you how they work with compliance in their own words, which should give you an idea if they know what they are talking about,” advises Cecilia Westerholm Beer, chief HR officer at Bisnode. “Get a grip of their knowledge in the area, not just what the supplier writes on the webpage or in brochures. If you need to, bring in your DPO [data protection officer] or other people that have deep knowledge in compliance to ensure the supplier really knows what they’re talking about.”
If the supplier is going to handle sensitive information about employees, it is imperative to find out what additional security they have in place for this, says Westerholm Beer. “It is important to understand what they have done, both technical and organisational, to protect the data we share with them. For example, where is the data stored (EU or other), who can access our information, and how has the supplier secured their competence?”
Suppliers are also in a unique position to offer insight into how different clients work. It is often the customer – in this case HR – who realises where there is room for improvement, points out Westerholm Beer. So it’s important there is a forum for HR to share feedback with the supplier.
Some of Bisnode’s best “and most appreciated” suppliers have proven “really proactive” in both providing information on how they handle data and suggesting how to collaborate. “That builds trust and makes us much more secure,” Westerholm Beer says, warning though that she has “seen the other scenario as well – where a supplier is clueless”.
Competent technology vendors will already have mechanisms in place to listen to their customers and make changes to their systems to reflect their needs. “There is no doubt that any updates made to a platform by a vendor should have been done to support an end-to-end process that is deemed best practice,” says Jason Dowzell, CEO and cofounder of Natural HR.
“When this is the case, the vendor is very well-placed to advise customers on new ways of working, supported by their updated toolkit. That’s really the main job of a software company, irrespective of the GDPR. Vendors that focus on user experience will have carefully designed updates to suit the reality of what customers actually do day-to-day.”
In the case of the GDPR, says Dowzell, a vendor should be able to advise on areas such as the process for gathering and evidencing consent or to fully complete any requests for data access or erasure. “Vendors, however, are not the right advisors for the choices customers will need to make around areas such as policy, internal cultural awareness, legal matters, dealing with breaches, insurance and so on,” he adds.
For Sage Business Cloud People VP Paul Burrin, HR shouldn’t rely on the tech provider to have all the answers, but rather work with them to ensure core compliance aspects of the GDPR are met.
“Anyone can provide advice and suppliers are expected to fulfil their obligation, if any, with the GDPR,” adds Burrin. “But the ownership and penalty for non-compliance ultimately comes back to the data controller – in this case, HR – and so they must take full accountability.”
It’s a view shared by Joe Healy, HR director at the Society of Petroleum Engineers (SPE). He says data privacy is “bread and butter for HR professionals; we’ve always treated personal data very carefully”. For instance, SPE worked closely with Talentia to ‘stress test’ a new HCM system.
But many organisations are far from on top of the issue. “There seems to still be a lot of companies, perhaps around 50%, who weren’t prepared for the 25 May deadline and still aren’t likely to be by the end of the year,” says ADP global chief privacy officer Cécile Georges. At the very least, she says, by now the laggards “should have solidly embarked on their roadmap to tackle the privacy principles”.
Of course, the burden of compliance does ultimately sit on the shoulders of HR. But working smartly with tech vendors can lighten the load.
This piece featured in our recent Futureproofing versus present practicalities technology supplement. Read the full supplement here