Almost two-thirds (65%) believe that HR's skillsets pose the biggest obstacle to GDPR readiness, according to an audience poll taken during HR magazine’s webinar 'GDPR: What HR needs to know', held in partnership with Sage Business Cloud People.
Another poll found that just 14% of organisations feel very prepared for the General Data Protection Regulation (GDPR), which comes into effect on 25 May.
Speaking at the live webinar, T-Systems HRD Jake Attfield, Sage People VP Paul Burrin, McGuireWoods associate Sarah Thompson, and London Business School’s data compliance manager Graham Jennings, stressed that the GDPR poses a major challenge to HR leaders and the wider business.
“Applying the GDPR to all the different legacy systems a business has is one of the biggest challenges,” said Burrin. “The issue is there’s so much data. Not all of it falls within HR’s domain but that doesn’t mean HR doesn’t need to get a handle on it."
For Jennings, HR needs to “lead by example” and “get its house in order within the wider business”.
He explained that there are three key ways for HR to take the lead: “HR can roll out e-learning to train employees across the business about data protection, introduce incentives for good practice, and enforce sanctions on employees that breach the regulations. This can help HR get the rest of the business on board.”
Burrin suggested that the GDPR rollout should be led by a dedicated data protection officer (DPO). HR should have some responsibility but it should “be clear who owns what”, he said.
The speakers went on to discuss whether an HR leader can and should take on the DPO role.
“The DPO can’t be in a position of conflict of interest and the employee’s role must be compatible with the DPO role,” explained Thompson. She advised that while a business is only legally required to appoint a DPO under certain circumstances, “guidance recommends that if you’ve got the budget to do it, do it”.
Whether GDPR compliance is owned by HR or not, the profession should collaborate with other business functions, including legal, IT and marketing, the speakers agreed.
Attfield advised HR to find a balance between the rights of former employees to have their data removed, and HR's responsibility to protect the business.
“Yes we should set limits on how long we keep certain pieces of information after an employee leaves. But certain employee data like names, start dates and reasons for leaving are critical for HR to keep hold of in the event a former employee takes up a future tribunal or legal proceedings against the company,” he said.
Thompson agreed that “any employee can ask for their data to be deleted when they leave but HR can say no”.
“HR should implement a policy with a suitable time period for keeping employee data,” Jennings suggested. “But, ultimately, it must be approached on a case-by-case basis.”
While the panel agreed that the GDPR is a challenge for HR, Attfield encouraged HRDs to see it as an opportunity for better employee engagement.
“There’s the opportunity here with the GDPR to reach out to employees about what data we have and how we use it,” he said. “For example, diversity and inclusion data is not mandatory for employees to provide at the moment. We can use the GDPR to engage employees around areas like this, giving us useful data to act on in the future.”
Another poll run during the webinar found that recruitment, payroll and reward, and benefits were the main HR areas which will be affected by GDPR.
A recording of this webinar is available here for those who missed the live event. Further coverage will be included in a future issue of HR magazine