Chris van der Schoor, Head of HR, Accedo
It is easy to get caught in the drama. It is easy to see the threat. It is easy to blame this bureaucratic institution for imposing rules on our organizations. And as an employer, it is very easy to feel treated unjustly that you need to safeguard the privacy of a person who will eagerly share a lot more personal information with an unknown party to play the latest Angry Birds game on their mobile phone. Drama is great but doesn’t resolve anything.
Let me be clear: GDPR has a massive impact on product development and may require a full overhaul of traditional IT product design. But from an employer perspective, GDPR doesn’t ask anything unreasonable:
- – Be transparent to people about the personal data you process;
- – Minimize the data you process and be clear about why you process it;
- – Allow them to review and rectify their personal data;
- – And after employment ends and legal data storage requirements have passed, allow people to request that their personal data is erased from all company records.
At the same time, it requires that you:
- – Ask employees for their free consent to process their data. ‘Free’ meaning that you don’t threat with countermeasures if consent is not given;
- – Maintain an audit log of personal data processing activities;
- – Ensure the security of your systems;
- – And that you have a contingency plan for data breaches.
Honestly, if any employer disagrees with any of these bullets, the problem is not GDPR…
So let’s take a more positive approach!
At Accedo, we took several actions on GDPR. Amongst those, we took the opportunity to literally review and write down the purpose of each data field in our HR Information System, to list which roles have access to this data and make this available to all employees. Every data field we couldn’t get a clear purpose on, we simply stopped using. The result? Fewer fields to maintain, less data accuracy issues, more time for valuable HR stuff.
We opened up all personal data fields to employees to review and correct their own data of course. And then took it one step further. We enabled employees to delete any personal data we are not legally required to process and that they did not want to share with us. Whatever their reason may be… Is it annoying to not have everyone’s gender data? Nationality? Education level? Annoying maybe, but not business critical. Is it irresponsible not to have emergency contact info? As long as it is a conscious choice from the employee, it is up to us to respect that. But what about your gender equality statistics, I hear your HR Analyst cry. Those statistics now simply include a ‘Does not disclose’ category…
Is this making us fully GDPR compliant as an employer? Probably not. The cool thing is nobody, not even expensive consultants, will be able to determine full compliance until the GDPR is tested in court. Nevertheless, it shows we are serious about respecting data ownership and transparency, and most importantly: we are taking action. Let’s save the drama for the many excellent video streaming series…