People-related data is arguably HR’s most important asset. But when data becomes a core asset, the need for careful data governance becomes even more pressing.
Today’s HR teams potentially have access to huge amounts of data, and this can bring great rewards for those who use that data intelligently. But, data also brings its own unique challenges. Therefore, before implementing any data-driven HR approach, it’s important to consider the potential pitfalls that surround employee-related data, particularly when it comes to their personal data.
Obviously, HR teams need to operate within the data privacy laws of their country. In the UK, unless you’ve been living under a rock, you’ll know that personal employee data comes under GDPR – General Data Protection Regulation – which comes into effect in May 2018 but suffice to say that GDPR will impact the way HR teams gather, store and work with employee data.
What’s interesting about GDPR is how it cracks down on companies that take a laissez-faire approach to data privacy. Companies that fail to properly protect employees’ personal data, or are found to be misusing personal data, face stiff fines of up to €20 million or 4% of annual worldwide turnover, whichever is the greater of the two.
PROTECTING AGAINST DATA BREACHES
Amidst this harsher regulatory landscape (not to mention the reputational fallout of high-profile data breaches), HR data must be properly secured and protected from threats. If you think that no one would be interested in stealing your employee-related data (as opposed to, say, customer credit card details), think again. It may surprise you to know that medical data is 10 times more valuable to criminals than credit card data. So the lesson is: if it contains personally identifiable information, data of any kind can be valuable.
But hoodied criminal hackers trading data on the dark web aren’t the only source of data breaches. The insider threat (whether malicious or through sheer ineptitude) is huge. In one example, a Boeing employee inadvertently caused a breach that might have exposed the personal data of 36,000 Boeing employees, including their names, date of births, and social security numbers. How? The unlucky employee was having trouble formatting a spreadsheet, so he sent it on to his spouse for help, unaware that the spreadsheet contained hidden columns with confidential information.
In another example, a disgruntled employee of British supermarket Morrisons deliberately exposed colleagues’ personal data online. In a landmark High Court case, the supermarket was found liable for the breach. Just imagine the consequences of such a breach when GDPR is in effect. The damage to a business’s finances and reputation could be catastrophic.
UNDERSTANDING THE ETHICAL PITFALLS
As well as sitting on the right side of the law, HR teams also need to ensure their data usage sits within the company’s ethical boundaries. Most companies these days emphasize a culture of openness and honesty. If your data-driven HR activities fly in the face of that culture – for example, by clumsily implementing data projects or poorly communicating how data is used – it could lead to massive morale and trust issues.
That’s why one of the key pieces of advice I give to businesses is this: transparency. Transparency around what employee data is being collected, transparency around why it’s being collected, and transparency around how it will be used.
It’s also important to add value for employees and emphasize the positive outcomes of using their data. People are far happier for their data to be used when they feel they’re getting something valuable in return, whether it’s better working conditions, more effective management, a safer environment, or whatever.
THE IMPORTANCE OF GOOD GOVERNANCE
Practicing good data governance will help ensure your HR data remains a valuable asset and doesn’t turn into a liability. Here’s a snapshot of what good data governance means in practice:
- Create Data Governance Procedures (if you haven’t already). This may include defining who owns the various people-related data within the organization, who is responsible for data accuracy, who is responsible for controlling access to the data, and who is responsible for updating the data. It should also cover how the data can be used.
- Get Consent For Employee Data. Consent is a critical pillar of data privacy. This means HR must get employees’ express permission in order to collect and process their personal data. It used to be that consent was assumed as part and parcel of employment. Thanks to GDPR, that’s no longer the case.
- Be Strict About Data Usage. GDPR means you can only use personal data for the specific purpose for which consent was given. If you want to use the data for a different purpose, a new permission is needed. It’s vital HR colleagues fully understand this, as the fines for misusing data can be enormous.
- Practice Data Minimization. This means gathering only the very essential data, i.e., data that can help meaningfully improve the company and add value. Data for data’s sake is worthless, and can actually prove detrimental to the company in the long run.
- Anonymise Data. Wherever possible, you should anonymize personal employee data, which means stripping it of any personal markers that link an individual to that piece of information.
- Protect And Secure Your Data. There are certain safeguards any business can put in place to secure data and prevent breaches. Such measures can include encrypting data, having systems in place to detect and stop breaches while they’re happening, and training staff so they never give away secure information.