Data compliance: Whose job is it anyway?
With the GDPR looming, what's HR’s role in ensuring everyone stores and uses data responsibly?
Big companies are increasingly reliant on big data. But this reliance can cause big problems.
In addition to a number of high-profile data leaks over the last few years, data was also controversially thrust into the limelight recently thanks to the Cambridge Analytica saga.
A whistleblower alleges that the data analytics firm harvested personal information from more than 50 million Facebook profiles without permission and used this information to target US voters in the 2016 presidential election with personalised political advertisements. It’s also been alleged that a digital services firm linked to Cambridge Analytica was involved in a breach of campaign spending rules during the Brexit referendum.
These examples underline how difficult dealing with the personal data of customers and employees can be. Especially as tough new regulations that will strengthen data protection for EU citizens come into force this month.
Which begs the question: in this rapidly-evolving world where data sits at the heart of many organisations, what role can HR play in creating cultures of data responsibility and compliance?
At present HR faces a major challenge getting its voice heard on the topic, according to principal owner and managing consultant of Sphere HR and Sphere Data Protection Kim Bradford, who comes from an HR background and offers data protection advice to businesses.
“Ideally HR should have a seat at the table for all kinds of strategy that happens within a business or for things that will affect a business,” says Bradford. “However, it’s quite rare to see that, and if you’re not there at the table helping to shape the strategy and direction or the products or services of a business, then it’s really difficult to have that influence over whatever it is you want to talk to [the board] about.”
The other problem many organisations fail to get to grips with is that data often tends to fall between a number of different pillars of responsibility, with IT departments, marketing teams and HR functions all potentially collecting and managing different data sets. Then there are issues around who can access this data.
“Often when an HR department is questioned about controlling access to their data they deny responsibility, as it is deemed a network systems issue, with HR not managing servers,” says Colin Tankard, managing director at data security company Digital Pathways. “But it is the HR department’s responsibility to control their data. They should go via their security operations team to ensure that separation of duty is in place between network operations and the viewing of documents.”
Tankard says that this ‘separation of duty’ will become even more important when the new General Data Protection Regulation (GDPR) regime comes into force. “Under the GDPR the data processing officer [required by the legislation] cannot be from within IT as there’s a conflict of interest,” explains Tankard. “Again, this is why system administrators should be separated from viewing HR data.”
In short, the GDPR tightens the laws around what data companies can collect on individuals and how they use it. Failure to comply could prove costly. Fines can be administered of up to 4% of annual global turnover or €20 million – whichever is greater.
Different companies are approaching the new law in different ways. T-Systems’ HR director Jake Attfield says that because his company is B2B “the focus of GDPR work is on employee data rather than customer data.” He adds: “The focus of our awareness and training programmes is to align the messages with our existing employee engagement around wellbeing and caring for our staff, as this extends to respecting their personal data and ensuring its security and integrity at all times.
“It is essential that this is not seen as a topic that is in any way separate to our overall strategy or organisational culture, and as such it’s important it is made relatable to all people in all roles,” he explains. “And that everyone understands their contribution to ensuring we minimise the risk to the business and what the potential impact could be.”
Judging by recent research carried out by Henley Business School, T-Systems’ approach is a sensible one. According to Ardi Kolah, executive fellow and director of the GDPR Transition Programme at the business school, employee training is the frontline of defence for businesses who want to avoid falling foul of the new regulatory regime.
“Organisational and technical changes may need to be put in place to comply with the GDPR, but these will fail unless suitable training and support is provided to employees – including contractors – so that there are no unintended consequences or risks being taken,” says Kolah. “This is because human factors are the principle cause of why things often go wrong and lead to a breach of personal data.”
It’s a view shared by Bradford, who says: “IT policies should link into HR policies, which should link into training and awareness for staff so that everyone is aware of what they need to do. That does require a fair amount of effort – it doesn’t happen organically.”
It may take a lot of time and energy but Chris Roebuck, visiting professor of transformational leadership at Cass Business School, believes the scenario outlined by Bradford can be achieved if organisations take a three-pronged strategic approach to implementing new guidelines – whether that be around the GDPR or the use of data generally.
“Firstly it’s about awareness,” says Roebuck. “Has the company taken sufficient steps in terms of communication through various channels to make people aware that there is something here that they need to do?
“Secondly it’s about understanding. Having made them aware, has the organisation made it clear to them what they are required to do and how? And then finally it’s about willingness. Within the two previous stages, has the organisation set out a compelling reason as to why people should put effort into this? Those three things sound really basic, but if you look at why things mess up within an organisation or why things go well you will find that the reasons fall within those three buckets.”
He adds that, even if a company has the best data systems in the world, if people don’t want to use these systems or if they only use them in a “tick-box or compliance-type way then you will still have a risk because these people will do their job but nothing more”.
As the Cambridge Analytica saga and the looming new GDPR regime underline, in this era of big data organisations of all sizes can ill-afford for this to happen. Because mismanaging individuals’ personal information could prove a big and costly mistake.