· News

Firms plan GDPR compliance incentives

GDPR must be part of the disciplinary process but offering rewards for compliance may not be the best approach warn some

Nearly three-quarters (71%) of businesses are planning to introduce rewards or penalties to encourage GDPR compliance among their employee base, according to Veritas Technologies.

The 2017 Veritas GDPR Report, which surveyed 900 businesses across the UK, France, Germany, Australia and Singapore, found that almost half (47%) will also add mandatory GDPR policy adherence into employees’ contracts.

When it came to whether employers planned to use a carrot or stick approach, 34% said they plan to reward employees for complying with GDPR policies, 41% plan to implement disciplinary procedures if these are violated, and a quarter (25%) would consider withholding benefits, including bonuses.

Mike Palmer, executive vice president and chief product officer at Veritas, said: “Data is one of the most crucial assets within an organisation, yet many businesses are struggling to implement good data hygiene practices – and that often starts with employees. However, our research shows that businesses are getting serious about driving cultural change within their organisations.”

Liam Kenealy, a solicitor and head of employment law at Spencer Solicitors, said that offering employees rewards for compliance could however be tricky. “I am not against incentivising, [but] I think it’s hard to incentivise something like data breaching,” he told HR magazine, pointing to the crucial role of education and training.

“There’s a couple of ways [of ensuring compliance],” he said. “One is technology: so taking steps with IT staff to better secure the data, for example encryption of emails, external hard drives, laptops, memory sticks etc. And two is a cultural change: ensuring staff know what GDPR is and the steps they can take to ensure human error doesn’t affect it resulting in a data breach.”

He added that a strong disciplinary process around GDPR was essential. “It must be part of the disciplinary process, a performance or misconduct issue to deal with,” he said. “Breaches of GDPR should be considered as potential disciplinary issues.”

Dominic Wrench, an associate at Taylor Vinters, agreed that rewarding employees in relation to GDPR might not be the best approach. “Compliance with good data protection hygiene should become the norm and not something that employees should be rewarded for,” he said. “Employees will need to be made aware of any relevant data protection policy and comply with its terms, in the same way as they must comply with any other company policy.

“Rather than rewarding employees organisations should try to foster an educated, open and responsive culture where employees are aware of their role in data protection, alert to any dangers, and appropriately reactive to any personal data breaches.”

The Veritas report found that companies expect to benefit from abiding by good compliance habits, with saving money (64%), brand reputation (59%) and protecting data (51%) all cited.

“It’s a sales point for businesses – if you can demonstrate your compliance for GDPR that might be a tick in the box,” said Kenealy. “Hopefully it will have a positive impact.”

He added: “The purpose [of GDPR] is to ensure that individuals’ data is safeguarded, particularly with cyber crime being so high these days, so it’s an opportunity for businesses to enhance the services that they provide.”

From May 2018 new GDPR legislation will change the way that businesses handle personal data and what information they hold. The new regime aims to harmonise current data protection laws and to update existing (20-year-old) provisions, and governs the collection and processing of personal data in the EU.