The GDPR is Europe’s new data protection law. It comes into effect in May 2018. This blog post by HR Software experts Tania Teetz and John Kleeman shares a summary of some challenges and opportunities around the GDPR and Data Protection they presented on at the HR Open Standards Community Meeting in Bad Nauheim, Germany in November.
As you may know, the GDPR governs the protection of personal information of individuals located in Europe. It applies to any organization who collects or processes personal data of EU residents.
And Europe is not the only country implementing data protection changes. Many countries in Asia and Latin America have recently introduced or updated data protection laws, and the Indian supreme court recently ruled that privacy is a fundamental human right.
So with data protection growing round the world, we spotted four challenges and four opportunities for companies involved in HR technology.
photo credit: sdecoret/Shutterstock.com
- Guidance unclear. The legal language of the GDPR is principle based and leaves many practical details unclear. The regulatory authorities are producing guidance but much of it is not available yet, which means that organizations have many uncertainties to resolve prior to when the GDPR comes into place in May 2018.
- Access requests. It seems unclear in the GDPR how much information within an HR system an applicant or employee can request to see via a subject access request. For example, if someone is rejected for a job, how much can they see about the employer comments on their application or the logic that led to that decision? A guideline on the right to "data portability" exists from the Article 29 Working Party to clarify at least the data that has to be provided when a data subject asks for portable data.
- Backup. Data protection laws typically require deletion of personal data when no longer needed or in some cases when a data subject requests the erasure. But most computer systems keep back-up copies of data in case of disaster. Often that backup is write-only, i.e. cannot easily be modified. But if data is deleted in the primary system, how do you ensure it is deleted in the backup too? There are several approaches to this, one is to keep the retention period for backups short (e.g. 30-60 days) so that all backups gets deleted reasonably quickly in any case.
- Should vendors force compliance? Should HR vendors implement software features that force customers to comply with legislation or should they provide flexibility to allow customers to do what they want, even if that might not be legitimate in some jurisdictions? In most cases the answer will probably be “it depends”, and has to be considered individually per functionality. Many vendors also consider it a good idea to do some risk analysis to accompany this decision.
- Privacy by design. We all know the value of security by design – and all successful software companies build in security from day one and make security the default. Privacy by design originated in Canada and for a long time was just an idea, but it’s grown and is now advocated by the GDPR. Could privacy by design be one day seen as crucial as security by design?
We suspect many successful vendors will implement data protection by design and default, data minimization, pseudonymisation and other privacy by design concepts.
- Trusted advisor or compliant vendor? In order to implement compliant systems, HR technology companies gain a lot of knowledge about data protection law, but how much of that can we pass onto our customers? It’s a really fine line to draw – what advice can be given, without giving legal advice. We are not lawyers but there is perhaps an opportunity to be trusted advisers as well as compliant partners or processors.
- Big vs siloed data. There is a risk that data protection rules will force organizations to “silo” their HR data – keep it within geographical regions, and not get the benefit of “big data” analysis to improve performance. There is an opportunity to innovate to ensure that we can get the benefit of “big data” analysis while still maintaining privacy. It’s worth taking a look at the HR Open Standards Data Protection standard to see if it can help in this area.
- Can data protection be a competitive advantage? The GDPR requires controllers to choose “expert” data processors, and being knowledgeable and compliant with data protection laws will surely help vendors win and maintain business. More widely, the GDPR and other data protection laws could help the whole HR technology ecosystem by resolving privacy concerns and so encouraging everyone to further trust use of the cloud and technology.
To some extent, all need to follow data protection, but there may be advantages for companies who have profound knowledge of one country’s laws or who know and follow laws in many countries.
Tania Teetz is Product Manager at recruitment software vendor milch & zucker (www.milchundzucer.com) and John Kleeman is Executive Director and Founder of assessment management system vendor Questionmark (www.questionmark.com). You can see their full presentation here.