“Going digital” is no longer optional, digital is not part of the economy now – it is the economy. The sum of social and economic transactions today creates billions of everyday online connections among people, organizations, devices, data, and processes. The resultant being, hyperconnectivity coupled with esoteric datatypes and sources this has given rise to the digital economy. Traditional business models and processes are getting disrupted at a lightning speed. TechCrunch beautifully explained, “Uber, the world’s largest taxi company, owns no vehicles. Facebook, the world’s most popular media owner, creates no content. Alibaba, the most valuable retailer, has no inventory. And Airbnb, the world’s largest accommodation provider, owns no real estate. Something interesting is happening.”
Every year since 2007, January 28th is observed in many parts of the world including the United States, Canada, India, and Europe as Data Privacy Protection Day, with the purpose of raising awareness and promoting privacy and data protection best practices. While countries around the globe each have their own regulations to protect their citizens personal data, the European Unions General Data Protection Regulation (GDPR) that takes effect in May 2018 is creating ripples worldwide, primarily because of the humungous penalties (up to € 20 million or 4% of a company’s global revenues), global impact, privacy by design, stringent consent conditions, 72 hours window to report data breaches and the range of data subject rights.
Data subject rights essentially reflect the philosophy of the GDPR, and for that matter, is what should drive all privacy regulations today. Every individual has a right to privacy and protection of their personal data. Recently, India’s highest constitutional court, the Supreme Court, declared that individual privacy is a guaranteed fundamental right.
In the context of data privacy and data breaches, most organizations across the globe typically focus on their customer’s personal data, especially in consumer-oriented industries such as retail, travel, banking, and insurance. The high-profile data breach stories such as those of Yahoo, TalkTalk, Equifax, etc. all highlight the risks and losses of customer data only. But what about employee personal data? Data protection regulations like the GDPR require that organizations focus equally on the protection and privacy of employee data.
“Data subject rights essentially reflects the philosophy of the GDPR, and for that matter, is what should drive all privacy regulations today. Every individual has a right to privacy and protection of their personal data. Recently, India’s highest constitutional court, the Supreme Court, declared that individual privacy is a guaranteed fundamental right.”
Employee Personal Data Processing in Organisations
When an individual becomes a part of a new organization, he or she will be required to share various types of information with the employer, including personal and sensitive data ranging from date of birth to financial details to health records. What after they have joined? No one really bothers to find out what their employers are doing with this wealth of valuable data or what steps are they taking to ensure all this data is secure. Or when they contract an outside company for example for learning and development what measures are taken to safeguard sensitive employee data. Most of us tend to assume that our data will remain private and safe with our employers and in our enterprise systems. Unfortunately, this faith is sometimes misplaced. In early 2017, a UK retailer Sports Direct revealed that 30,000 unencrypted employee data files were stolen however the firm didn’t inform the employees till it was published in the news. A breach in the case management system used by the Department of Homeland Security’s Office of the Inspector General led to the leak of personal data for roughly 250,000 employees. A few years ago, hackers broke into Sony Pictures’ network, harvested data for two months and then leaked much of that data in November 2014, including confidential details such as names, addresses and Social Security numbers of Sony employees. The aftermath led to a class-action suit filed by the employees, resulting in a multimillion-dollar settlement.
Traditionally, employers have relied on ‘consent’ to process personal data of candidates and employees. However, this may not be a good practice given the power imbalance between employees and employers, where the consent may not be given freely because of fear of negative repercussions. For instance, an employer may provide legitimate interest as a basis to process a candidate’s social media profile during the recruitment process; compliance with the spirit of data protection requires that employers must determine, prior to inspecting a job applicant’s profile, whether the profile is related to either business or private purposes. In addition, only data that is necessary and relevant to the position that is being applied for may be collected by employers. With respect to existing employees, the screening of social media profiles should not take place on a generalized basis at all.
Compliance with Data Protection Regulations
As organizations are waking up to the risks of managing their employees’ personal data, they are quickly realizing the enormous task that lies ahead. To begin with, many are not aware of what employee data they may have collected over time and where it is all located. For instance, passport data of employees may get processed and stored in the company’s travel-related systems. Insurance-related personal data collected may get shared with third parties. Corporate credit card details may be stored across a bunch of systems from payroll to travel to benefits. As per a recent Forrester study, only 41% organizations knew where their employee data is located. However, a lot of this information often finds its way into files and emails, e.g. an image of a driver’s license shared via email. The same study states that 66% of companies fail to classify unstructured data properly. Essentially, it is fairly safe to assume that very few companies can really claim to know what and where all of their employee personal data is stored and processed.
So what should an organization do, ensure that they are compliant with data privacy laws for their employee data? First, it is imperative to realize that privacy is a top-down matter and must be necessarily driven by the firm’s executive leadership. The starting point is to define and set in place the proper HR governance framework, including relevant policies (such as data security and data retention), standards and processes. This will also help in understanding what data falls within the scope and in its classification. Second, one needs to know where this data lies and how it is being used and this is where the process of data discovery and process mapping comes in. Depending on the size and complexity, one could manually scan the systems for the incidence of personal data or choose from a wide variety of available technologies to automate the discovery process.
Steps to build Compliance with Data Protection Regulations
Step 1: Know what employee data you have, where it is stored and what is it is currently used for.
Step 2: Analyze your HR processes and ensure legitimate and minimal processing of personal and sensitive data.
Step 3: Adopt a top-down approach and lead to governance best practices.
Step 4: Ensure employee data is secure, while at rest and in motion.
Step 5: Win Digital trust and build an employer brand
With this, organisations are now on track to begin the compliance remediation journey be it to secure this data using solutions such as encryption, or to revamp the consent capture and check process, or to modify business processes to efficiently service employees’ rights to access, modify or delete their personal data, or to be ready to detect and report breaches before the damage is done.
Law on data privacy and its effect upon Indian employers
The Information Technology Act, 2000 (‘IT Act’) is the only legislation which has attempted to address the issue of data protection and privacy. Section 43A provides for the protection of sensitive personal data or information (‘SPDI’) and section 72A protects personal information from unlawful disclosure in breach of contract. The government has recently introduced certain rules under the IT Act which, read along with section 43A, set out the compliances which need to be observed by an entity which collects or stores or otherwise deals with SPDI (such as passwords, financial information, health conditions, sexual orientation, medical records and biometric records).
Several multinational companies process their employee data at a single location in the world and the data is made accessible to subsidiaries located across the world. Hence, when putting their data protection systems in place, they need to take into account data protection laws of all the relevant countries. The provisions of Indian laws as discussed above may pose some unique situations and requirements which have to be adhered to.
Enhanced Employer Branding with Data Privacy Compliance
At this point, HR leaders may well be wondering how much more they need to take on; as if talent acquisition and employee retention did not present sufficient challenges, now comes an additional burden of ensuring employee data privacy. But in fact, it is quite the opposite. Gaining digital trust in today’s economy is one of the key success factors for brand building, and hence companies can look forward to ensuring employee data privacy and protection as an opportunity to create a trusted and favored employer brand. Further, regulatory compliance requires that data processing must not only be legitimate but must also be necessary, proportionate and implemented in the least intrusive manner possible.
When organizations align their policies and processes to meet these requirements, they will automatically create an environment where employees feel more comfortable, which is one step towards increased employee engagement as well. As Stephen R. Covey said,
“Always treat your employees exactly as you want them to treat your best customers.”
Creating peace of mind within your employees, that their sensitive data is just as safe as your customers’ data is a big step towards achieving this.
“HR leaders may well be wondering how much more they need to take on; as if talent acquisition and employee retention did not present sufficient challenges, now comes an additional burden of ensuring employee data privacy. But in fact, it is quite the opposite. Gaining digital trust in today’s economy is one of the key success factors for brand building, and hence companies can look forward to ensuring employee data privacy and protection as an opportunity to create a trusted and favoured employer brand.”