HR analytics and the GDPR: where things stand

The European Union’s General Data Protection Regulation (GDPR) came into effect May 25, 2018. It aims to protect European Union citizens from privacy and data breaches. Any company that is found not in compliance with the legislation could receive severe fines and penalties. How do these regulations impact your HR analytics? Here are key points to consider in this area.

Applications for data access

An employee has the right to request a copy of the data being stored by your organization. You can have a basic solution of creating screenshots of the data or a more sophisticated report from your HRMS.

If you are using a reporting solution that combines HRMS data with other company data, potentially you need to use your reporting tool in addition to your HRMS to fulfill the request.

Employee data deletion requests

This requirement is also known as ‘Erasure.’ After an employee has received details about the data being held by your company, the employee may request for the deletion of the data.

It may be a valid request for the removal of legacy data which you can complete in your HRMS. You need to be aware of where else the data is going, in particular, if you are sending data to internal or off-site data warehouses or Big Data reporting platforms. It’s not enough to delete data only at the source, you need to remove it from downstream reporting applications also.

Ensure ‘Privacy by Design’ in your analytics activity

Privacy by design has been around for many years but the GDPR now includes it as a legal requirement. It entails building organizational and technical safeguards into the initial design of systems instead of adding them after the fact.

For example, how is your HR team handling reports from your HRMS? Are they sent encrypted and password protected? Do you post employee data to a shared drive where HR is not in control of the security? Loose standards around analytics should be a high concern since the possibility for damage is greater.

Continue to run analytics

While some companies based outside of Europe have complained about the additional cost and effort involved with the GDPR many have welcomed it as an improvement over the 1995 Data Protection Directive 95/46/EC. The previous directive was often cited as over-encompassing and ambiguous. A data protection officer at one company could interpret the rules for HR data storage and handling completely different than a counterpart at another company. The new regulations bring a breath of fresh air and once the appropriate training and processes are in place your HR analytics should be easier to administer on the data privacy front.