HR’s Secret Weapon for GDPR Compliance
Mika Javanainen, Vice President of Product Management, M-Files discusses why new data protection regulations will significantly impact HR, and what they can do about it.
The clock is ticking. One year from now in May 2018, the General Data Protection Regulation (GDPR) will go into effect. The new European Union (EU) data privacy regulation will have major implications for companies worldwide, not just those in the EU. Additionally, the price to pay for non-compliance is steep, with regulators empowered to impose fines of up to 20 million euros or 4 percent of a company’s global revenue, whichever is greater.
For those in HR, the impact of GDPR will be significant.
Change is Coming …
At its core, GDPR aims to unify data protection for individuals, shifting control over personal data back to the public. In other words, the regulation gives any EU citizen the right to know how any company, whether public or private and regardless of its physical location, is handling his or her personal data.
The regulation also expands the definition of personal data. According to the directive, any data that can be used to identify an individual, including but not limited to such things as genetic, mental, cultural, economic or social information, now falls under the umbrella of personally identifiable information (PII). Even cookies and IP addresses are part of the broadened scope of what needs to be protected.
Consent and access rights have also been strengthened for individuals under the GDPR, with more detailed conditions for using consent to enable data processing of data collected from EU residents. In other words, organizations must use simple language when asking for consent to collect personal data.
Additionally, and of critical importance to HR professionals who must manage a large volume and variety of information that is often highly confidential, organizations must not only be able to prove they obtained permission to store and use data from an individual, but also provide electronic copies of private records on-demand to those who request details on where their data is stored, and for what purpose. This requirement alone could be a complex-endeavor for organizations without the right systems in place to manage the process.
GDPR compliance means ensuring that organizations can reliably aggregate all personal data scattered across disparate systems, network folders, emails, employee devices in an enterprise. Indeed, this could be a huge undertaking for many business department, including HR departments. Finding the right tools to help connect the dots is now a strategic imperative, as failure to do so could result in hefty fines.
Where to Begin
While the GDPR spells out in no uncertain terms the sorts of protections companies must offer for private data, the law says little about which technologies companies should use to provide those protections. One category of solutions that many organizations are already leveraging in anticipation of the GDPR mandate are an enterprise information management (EIM) systems.
One of the primary benefits of implementing an EIM solution, particularly from an HR perspective, is that modern solutions allow organizations to take a quantum leap forward in the way they manage confidential information and processes. Companies can leverage an EIM system to identify personal information and then enforce access rights to files and preset rules for how this information is managed. For example, HR staff members can automatically purge or encrypt certain PII such as personnel records or job applications after a period of time to help reduce the risk of a potential breach.
Furthermore, with an EIM system in place, HR benefits from the ability to utilize the system for creating and implementing training programs. GDPR will surely trigger new policies and procedures within organizations, but those changes won’t happen on their own. Employees will need to be educated and trained, and HR will likely oversee that process. Leveraging an EIM solution can make the task easier by automating GDPR-related processes, such as sending reminders to employees who still need to complete training assignments and automatically notifying managers when the task is done.
GDPR will impact almost every corner of the enterprise – no one is immune. But for HR departments that frequently deal with employee and job applicant -related documents and data, the significance of the GDPR cannot be underestimated. HR teams will need to very carefully assess their current processes and procedures to ensure they are in compliance with these demanding new requirements. With about a year to go before the GDPR comes into force, it is critical to start preparing as soon as possible. Modernizing information management practices and systems is no doubt a great place to start to help avoid risk and the significant financial penalties organizations could face for failing to adequately protect private data.
Mika Javanainen is Vice President of Product Management at M-Files Corporation. Javanainen is in charge of managing and developing M-Files product portfolio, roadmaps and pricing globally. Prior to his executive roles, Javanainen worked as a systems specialist, where he integrated document management systems with ERP and CRM applications. A published author, Javanainen has an executive MBA in International Business and Marketing. Follow Mika on Twitter at @mikajava.