06
Today’s HR departments are collecting, or have the potential to collect, huge amounts of data, and this can bring great rewards for those who use those data intelligently. But, data also bring their own unique challenges. Therefore, before implementing any intelligent HR approach, it is important to consider the potential pitfalls and legal issues that surround employee-related data, particularly when it comes to employees’ personal data. In this chapter I look at data privacy requirements, ethical issues and the need for transparency, and data security considerations. Collectively, all these factors come under what is known as ‘data governance’, and I finish the chapter with some practical steps for good data governance. This is absolutely vital because practising good data governance will help to ensure that your HR data remain a valuable asset, and do not turn into a liability. Before we get started, please do keep in mind that these are all huge topics in their own right and the regulatory landscape is changing. Specialist legal advice is therefore recommended.
Understanding which data you have
You cannot properly protect data or practise good data governance if you are not entirely sure which data you have. This can be a challenge for HR teams in particular because employee-related data can be housed in all sorts of departments and systems outside of the HR team itself. Think of payroll data, for instance, or data related to performance, targets and incentives. Therefore, an important first step in data governance is being aware of all the people-related data owned by your organization, including where those data reside, exactly which data are involved (critically, do they include personally identifiable information?), who those data are divulged to, how those data are processed or analysed and how they are then used within the organization. Do not forget to consider any data that may be used or processed by third parties (a payroll company, for instance) or anything stored with off-site data providers or in the cloud.
The thorny issue of data privacy
I am not a lawyer and, at the time of writing, European legislation on personal data and individuals’ right to privacy is changing significantly. On top of that, data privacy laws vary greatly around the world. For instance, the European Union (EU) arguably has the most stringent rules, and in the United States it can vary from state to state. It is therefore vital that any HR team gathering sensitive personal data makes sure it is operating within the laws of its country. Even within the relatively strict EU, it is fair to say that legislation has failed to keep pace with the speed at which technology has advanced and our ability to gather, store and analyse huge volumes of data. But that situation is changing. New EU regulation coming into effect in May 2018 – called GDPR, or the General Data Protection Regulation – is designed to enhance data protection and the right to privacy for EU citizens, giving them greater control over their personal data and how they are used.1
What about Brexit, I hear you ask. Well, at the time of writing, the indications are that GDPR still will be implemented into UK law – although, as with anything involving Brexit, this is a complex issue that is subject to change. However, I stress that GDPR covers the data of EU citizens, so, regardless of what happens with UK law, if your company touches data related to any EU citizens, you will absolutely have to comply with GDPR.
Looking at the impact of GDPR on HR teams
GDPR represents a complete overhaul of the legal requirements that must be met by any company handling the personal data of EU citizens, including employee data. Designed to give EU citizens greater control over what businesses can do with their personal data, the law states that companies can only use personal data for the express purpose for which it was given. Consent is therefore a critical pillar of GDPR. Customers and employees must explicitly opt in to allow a company to use their personal data, and they must be made fully aware of how those data will be used. Privacy policies will also have to be updated as there is a requirement for companies to make individuals aware of their new rights under GDPR.
The need for data consent
In light of the changes, it is vital you ensure the correct permissions are in place that allow you to use your people-related data in the way you intend – and only in the way you intend. More than one company has been tripped up in the past by invasive data collection strategies, collecting all manner of data that seemingly were not relevant to the service or product users had signed up to. Spotify is one such example. In 2015, the company released a new privacy policy that read more like the demands of a jealous partner than a music service. Among the new terms, Spotify claimed the right to go through your phone and access your photos, media files, global positioning system (GPS) location, sensor data (like how fast you are walking) and your contacts. It also announced it would share these data with advertisers, music rights holders, mobile networks and other ‘business partners’.2 Of course, the free version of the service is supported by advertising revenue, but these terms also applied to the platform’s many millions of paid users. The reaction from users was swift and negative. A huge outcry erupted on Twitter and other social-networking sites, with users saying they would leave the service rather than agree to the new terms. Part of the problem stemmed from the fact that the new privacy policy was extremely vague about exactly which data were being collected, when, why and with whom they were being shared. The huge backlash against this lack of transparency prompted the company’s CEO, Daniel Ek, to issue an apology and clarify the company’s position and intentions.3 This included the promise that: ‘We will ask for your express permission before accessing any of this data – and we will only use it for specific purposes that will allow you to customize your Spotify experience’.3
Total transparency is therefore important when it comes to using people’s data, and that is something I talk about in more detail later in the chapter. From a consent and GDPR point of view, however, what this means is being upfront with your employees about which data are being collected and for what purpose, and how those data will be used in practice. This can be clarified through a simple data privacy statement distributed to employees.
As stated, you also need to get employees’ express permission to collect and use the data in question. It used to be that consent was assumed as part and parcel of employment, but that is no longer the case. Under GDPR, HR teams will now need to get employees’ specific consent (eg a signed consent form) for processing personal data. Crucially, you can then only use the data for the purpose for which they were handed over. If you want to use the data for a different purpose, new permission will be required. Companies which fall foul of this regulation and are found to be misusing personal information face stiff fines of up to 20 million euros or 4 per cent of annual worldwide turnover, whichever is the greater of the two.
Other GDPR considerations
Under GDPR, employees also have the right to be forgotten and to withdraw their consent, so you will need to think through what this means for your systems. Do you have procedures in place for deleting employee data, for instance? How many systems would be affected? Can you be sure you are removing all traces? Does your team understand how important it is to comply with this regulation? These are all things that need to be considered as part of your data-driven HR strategy.
It is also very important you keep records of consent for gathering, storing and using employee data, as well as being able to demonstrate a clear business case for using the data. As another key point of compliance, companies must appoint a designated data protection officer (DPO), who should be properly skilled (or trained) and have an ‘expert’ level of understanding of the organization’s responsibilities regarding GDPR. You should therefore involve your DPO in discussions about your plans for data-driven HR and they will be able to advise you on compliance and consent issues.
GDPR also sets out strict mandates concerning reporting the theft or loss of personal data. While, for most companies, this is more of an issue for customer data, be aware that employee-related data are still highly personal in nature. So, in the event of any breach that affects employee data, you will need to inform the supervising authority (in the United Kingdom that is the Information Commissioner’s Office) within a maximum of 72 hours. You will also have to inform those individuals whose data are affected. There is more on data security and breaches later in the chapter.
What about those outside of the EU?
In the United States, regulation concerning the use of personal data may be a little less stringent, but there are still many things that can trip a company up. As Felix Wu, professor of law at the Benjamin N Cardozo School of Law, told me: ‘Unlike Europe, the US does not have comprehensive privacy regulation, but this may actually make things more difficult for companies, which must comply with a patchwork of varying state and federal laws’.4
There are also specific things to consider if your business transfers data related to EU citizens to the United States. Say, if your company has a US office, or if a data analytics provider is based in the United States, or if your data travel through the United States as part of a distributed storage system, you will be affected by these data transfer rules. The transfer of personal data between the United States and EU used to be covered under something called the Safe Harbor Framework. This provided a set of principles for transferring data between US and EU companies, and was designed to streamline business interactions by ensuring minimal business interruptions. Unfortunately, it also arguably relaxed attitudes to privacy, which is why, in 2015, the Court of Justice of the European Union ruled that the Safe Harbor agreement was no longer valid.5 The proposed solution is called Privacy Shield, and it provides a framework for US-based companies to demonstrate they can provide adequate protection in line with GDPR for EU citizens.6 For HR teams, the takeaway is to ensure that any personal data flowing through the United States are being handled by companies which are compliant with Privacy Shield and GDPR policies.
Privacy implications in practice
Let us look at a specific example of employee data and the privacy implications for HR teams. If a company has the ability to analyse e-mail data, it can get at all sorts of valuable insights – not just about who is planning their Saturday night out on work time, but much more valuable information such as how happy and engaged people are with their work and with the company as an employer. Monitoring e-mails for sentiment allows a company to gather much more accurate information than, say, an employee survey, and it also allows for much more frequent analysis than only once a year. In the United States, such use of employee e-mail data may be subject to state-specific laws but, in the main, employees in the United States have no general right to privacy in the workplace. Things are a little stricter in the EU, and will tighten up further in 2018 when GDPR comes into effect.
As we have already seen in this chapter, under GDPR, employees who are EU citizens have a right to privacy and consent must be obtained before you can capture and use their data. And companies which ignore these rules face huge fines (not to mention potential backlash and damage to their reputation). But even in the EU, employers can monitor staff e-mails, other electronic messages and the websites visited during work hours, providing they have a good reason for doing so. In 2016, this was challenged in the European Court of Human Rights when a Romanian employee took his employer to court after they fired him for sending private Yahoo Messenger messages during work time.7 The court ruled in favour of the employer, stating that it was not ‘unreasonable’ for the company to monitor the employee’s communications, and that the employer’s legitimate interest in carrying out such monitoring outweighed the individual’s right to privacy.7 But this decision does not give you carte blanche to read all employee communications just because you feel like it, or without telling them. Crucially, in this case, the court ruled that the employer’s actions were ‘limited in scope and proportionate’.7 In other words, they had a legitimate reason for monitoring the employee’s communications and their activity was limited to company resources, tied to a company policy regarding private communication and proportionate.
Telephone calls also may be monitored for business purposes. So, if your company operates a customer service or helpdesk call centre, you could be using the data gathered from those calls to assess and improve performance. Obviously, you need to obtain consent for monitoring calls, both from your customers and from your call-centre employees.
What this means for HR teams is that any monitoring of staff communications must be clearly explained in a privacy policy, employee handbook or contract and you should get employee consent for that monitoring. You need to make it very clear which data you are gathering in terms of e-mails, instant messages, website usage etc and why you are doing that. If there is no clear business reason for gathering the data, you should not be doing it. I would also steer well clear of messages that are obviously of a very personal nature and are not related to the business. Essentially, you should seek to strike a balance between the privacy of your employees and the needs of the business, and be transparent about what you are doing at all times.
Ethical issues and the need for transparency
As well as sitting on the right side of the law, HR teams also need to ensure their data usage sits within the ethical boundaries set by the company. Most companies these days emphasize a culture of openness and honesty, and your data-driven HR activities should not fly in the face of that culture. Clumsily implemented or poorly communicated data projects can do far more damage than good ones, potentially leading to serious issues with staff trust and morale. So it is important not to gloss over this aspect of data-driven HR. On the whole, we are all getting a lot more used to the wealth of data being collected and generated about us. When we sign up for a free online e-mail service, we acknowledge the e-mail provider’s right to read those e-mails. When we use an app, we agree to the provider’s right to use our location data, among other things. Or when we wear a fitness tracking band, like the Up band that I wear, we accept that the band will be gathering all sorts of data on our activities. The Internet of Things (IoT) – particularly the use of sensors being built into products – means we are all getting used to our everyday activities being tracked.
Why transparency is still important, even in this big data age
For a long time, I have been expecting a widespread backlash against large-scale data collection activities. In some cases, there have been complaints or protests against particularly dubious uses of data, usually when privacy policies are wilfully vague or when unethical companies misuse data. But it seems likely that, as we get more used to cameras, sensors, smart devices and other means of data collection, concerns will ease and people (employees included) will be more comfortable with companies collecting and using their data; however, this does not mean generating or gathering people-related data can be a free-for-all. As I have emphasized elsewhere in this chapter, you must have a clear business case for collecting data on your employees and this must be properly communicated. Transparency is one of the key pieces of advice I give to every company I work with. What this means in practice is employees need to be made aware of which data are being collected, why and what the company will use them for, ideally with a positive tone that emphasizes the benefits of these data. What you want is to achieve widespread buy-in for the use of data, from the top-level executives to frontline employees. It is easy for people to get on board with data when they understand how they will benefit the company and them as employees. Just as hundreds of millions of people are seemingly happy for Google to scan their e-mails in return for a free e-mail service, your employees are more likely to be happy with you using their data if they understand that information will be used to improve their working environment, for instance.
Getting buy-in for using data
Of course, how successful you are at gaining buy-in depends not just on how well you communicate the reasons and benefits for gathering data, but also the way in which you intend to use the data. If it is clear that the data are going to be used to whip people into working harder or as a disciplinary tool, you are facing an uphill battle. But that is not what intelligent, data-driven HR is about. It is not about creating a Big Brother culture and berating employees when they spend five minutes too long in the bathroom. It is about helping to drive the company forward and meet its strategic goals, which benefits everyone within the company. So, if you are looking to use sensor badges, for instance, to get an overview of how a job gets done or how interactions with colleagues or customers create a happier, more productive environment, that is a much more positive message for employees to buy into. Remember the bank in Chapter 5 which used Sociometric Solutions badges to identify that call-centre workers who took breaks together performed better? When the company instituted group breaks based on this insight, the whole team benefitted. This added value for the employees concerned as well as the company as a whole. And that is a critical point to make about data: transparency is vital, but so is adding value for employees. People are far happier for their data to be used when they feel they are getting something valuable in return, whether it is better working conditions, more effective management, a safer environment or something else.
In the same way, I do not mind Jawbone, the manufacturer of my Up fitness band, analysing my sleeping patterns, because the system helps me to monitor my health and wellbeing in real time. I also use the data from my band to recover faster between time zones, which actually is really helpful when I travel for business. And although I do not mind that Jawbone is collecting data on me, I do want to know the truth about what the company is doing with those data. If the data are aggregated with data collected from other people and not necessarily connected to me as an individual, I am fine with that because it can help us to understand more. For example, the data that Jawbone has collected on sleep alone are making huge in-roads into our collective understanding of sleep, insomnia and how sleep is impacted by various factors, and this has the potential to help a lot of people.8–10
The key to success in data-driven HR therefore is to be open about how you want to use the data you collect, to operate ethically and offer genuine value to your employees in return. When you provide value and can demonstrate a clear business case, most people will be happy, especially if the data are anonymized, that is, stripped of any personal markers that link an individual to the information (more on this later in the chapter).
Data democratization promotes transparency
Another aspect of data transparency is the democratization of data, as in sharing data with people within the organization wherever possible. This works on a couple of levels. First, if certain performance-related data can help to improve decision making across the business, it makes sense that the people who need those data have access to it. Second, sharing data promotes a more open culture, which, in turn, promotes greater buy-in. So, if you have the opportunity to share relevant data with areas of the business that can benefit from them, providing good data governance policies are in place, you should do so because it is a win-win situation. This could be as simple as sharing insights from data in the form of reports of visualizations (eg sharing insights from recruitment channel analytics or competency acquisition analytics with hiring managers). Or it could mean investing in dashboards or other reporting tools that allow people throughout the company to access, interrogate and manipulate data that are relevant to their job (eg managers having access to data from short pulse surveys on employee satisfaction, rather than waiting for the results of a lengthy annual survey).
Looking at security and data protection
An important part of data-driven or intelligent HR is making sure your data are secure and adequately protected from threats.
The devastating impact of data breaches
Data breaches can lead to huge losses for businesses, in terms of legal costs and financial compensation, as well as the damage done to a company’s reputation. These days, it seems like barely a week goes by without reports of yet another large-scale loss or theft of personal data. The biggest headlines tend to focus on customer or user data, as opposed to employee data. The 2015 Ashley Madison hack is one example. The website is effectively a dating site for people who want to have extramarital affairs (its own tagline is ‘Life is short. Have an affair’). Back in 2015, hackers famously published personal details (including names and e-mail addresses) of 32 million of the site’s members.11 What is interesting about this example is that it was probably the first time the public at large became aware of the potential social consequences (as opposed to financial or political consequences) of poor data security. But even this particularly juicy example pales into insignificance compared to the kinds of breaches that could happen in the future.
Google, for example, has dedicated itself to learning how to build profiles of people from the information they input into its services. In reality it has done this by conditioning us to enter as many data as we possibly can. Our phones constantly report our location. Speech recognition systems store recordings of our vocal commands which can be analysed for insight into our emotional state and stress levels after they have filled their primary purpose of letting us tell Google what to do. The possibility of a data set such as this existing at all may be scary enough for many of us, but the consequences of it falling into the wrong hands could be catastrophic. Just considering the implications of a data leak on this scale is enough to make any business take data security extremely seriously.
If you think that no one would be interested in stealing your employee-related data (as opposed to, say, customer credit card details), think again. If they contain personally identifiable information, data of any kind can be valuable. Think about the types of data the average HR team has access to: names, addresses, passport or ID numbers, bank account details, employment histories, health information etc. If this got into the wrong hands, it not only could be potentially damaging and inconvenient for your employees, but also it could seriously tarnish your employer brand.
Keeping IoT threats in mind
The IoT and its ever-expanding network of connected devices present an extra layer of security concerns. The notion that computers need to be kept secure is now pretty much commonplace, but it is not quite so commonplace with smart devices and other IoT-enabled products. With the explosion in IoT devices like fitness bands, sensors in machinery etc, businesses are inevitably becoming more vulnerable to hacking. Many are now arguing that the same level of precautions that apply to computers also should apply to smart devices. The theory is simple: more devices mean more possible attack vectors for intruders who want data. The how and the why are a bit more complicated: what benefit would an attacker gain from taking control of a smart thermostat, for instance? Well, aside from causing mischief (which is certainly the main motive for a good deal of IoT hacking activity), the likelihood is that the hackers want to use it to take advantage of network vulnerabilities which would allow them to get at the real jackpot: other devices such as personal computers or phones which are far more likely to hold sensitive and valuable information. Another angle of attack would be faked faults and prompts to make service calls or download software patches designed by hackers. These software patches could be malware designed to access other devices on the network through the supposedly faulty appliance. Ransomware is another potential danger. These viruses are already used to infect computers and make valuable data unusable unless a ransom is paid. Last year researchers at Symantec showed that this sort of virus could be programmed to spread from one device to another, locking the user out of their phone, then their watch and, in the future, perhaps their car, fridge or entire house. And new vulnerabilities are being found every day, as quickly as manufacturers can patch them, which is why any HR team using IoT-related devices to gather data needs to take its security very seriously.
What this means for HR data
Obviously, the HR department needs to operate within the data governance and data security guidelines set by its company, as well as legislation. GDPR sets strict rules on data protection and what to do in the event of a breach, so it is important you get up to speed on this or consult the GDPR expert within your organization. The downside of generating increasingly more data is that they introduce new vulnerabilities for the organization by creating more data that someone could potentially steal. The world of sport gives us a good indication of where HR teams might be going with data in the future. Data are now thoroughly embedded in most major sports, and it is now commonplace to minutely track every aspect of an athlete’s performance, wellbeing, diet etc. While this is great for those sports and teams which are benefitting from greater insights than ever before, there is a darker side: the main concern is data falling into the wrong hands.
Formula One (F1), for instance, is intensely data driven, as well as sports professionals, the teams are effectively technology teams. The threat level in F1 has been intense and teams have suffered losses following data theft, as well as malware infection. Even in lower-tech sports like rugby and football, analysts will analyse almost every aspect of games. Players wear GPS trackers to monitor every move they are making and a massive amount of data are generated in training. If this information got into the wrong hands, it could have serious competitive consequences, which is why teams are now putting measures in place to protect their data.12 While HR-related data may not be as valuable as data from an F1 team, they are still important. These are personal data, after all, covering everyone from the CEO down to frontline staff, and they need to be protected, just like any other business asset.
Bringing all this together into good data governance
So far, we have uncovered a lot of pitfalls to working with data, which can be daunting. But these pitfalls can be managed and mitigated. How? The answer lies in good data governance. Data governance refers to the overall management and caretaking of data, covering their usability and integrity (ie making sure the data are of good quality and that you have the individual’s consent to use their data as you need), and security. Practising good data governance means being aware of the moral and legal requirements concerning every aspect of your data-related activities to make sure you are not breaking any laws and that you are operating in an open, ethical and transparent manner. Data governance also extends to having policies in place to determine exactly who has access to data, and who is responsible for maintaining the quality and accuracy of those data. Always there should be an emphasis on taking care of data and treating them as the valuable asset that they are.
Creating a data governance programme
At its heart, data governance is about managing data as one of your business assets. Just as you have processes and systems in place to facilitate managing your staff, the same applies to your data. Assuming your organization has a data governance policy already in place (and it really should have), you need to ensure your intelligent HR activities operate within the scope of that policy. You may also need to put in place various data governance policies that are specific to your HR remit. This may include defining exactly who owns the various people-related data within the organization and who is accountable for various aspects of the data. Consider who is responsible for data accuracy, who is responsible for controlling access to the data and who is responsible for updating the data. You should also appoint a data steward or data champion from within your team to coordinate with others in the company on data governance, quality and privacy issues.
A good data governance programme also should set out clear procedures for how the data can be used and ensure that all staff who come into contact with your people-related data are aware of the privacy and permissions issues surrounding those data. Remember, you will not be able to use personal data for any other purpose than that which you originally got consent for. It is vital your people know and fully understand this. As we have seen in this chapter, legislation is certainly tightening up when it comes to misuse of personal data, and fines can be enormous.
Making sure you have got consent
Getting proper consent is a vital part of good data governance and, with the implementation of GDPR, is a strict legal requirement. Therefore, whenever you intend to capture, store and analyse employee personal data, you must ask permission first. And whenever you ask individuals for consent, it is imperative you explain which data you require and what you intend to do with them, and get their express consent for that usage. Further down the line, if you want to use the data for other purposes, additional consent will be needed.
Practising data minimization
My fear is that many companies will spend too much time crunching all the things they can so easily collect data on, including how much time employees sit in their office chairs or how many people they have interacted with, rather than the more meaningful qualitative measures of what they did when sat in those chairs and the quality of their interactions with others. It is therefore important for HR teams to follow data minimization practices, which basically means gathering only the very essential data, ie data that can help to meaningfully improve the company and add value.
I firmly believe the ‘collect it all and analyse it later’ approach used by some companies should be a thing of the past, because it is a strategy that poses far too many risks. Any piece of personal datum which can potentially be stolen or leaked should be thought of as a security risk to your company and employees, particularly in light of the forthcoming GDPR legislation. This is why, even when I am talking about ‘big data’, I am still a big fan of the ‘less is more’ approach. With regulations tightening up, the days of big corporations collecting every speck of datum they can on their employees just in case it proves useful one day (or as Jeff Bezos, CEO of Amazon, put it: ‘We never throw away data’13) are gone. Not only is this an expensive approach – since the more data you collect, the more you will have to invest in data storage and analysis – it may land you in legal trouble.
GDPR insists that any personal data collected must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed’.14 In effect, this means collecting and holding only the minimum amount of personal data needed to fulfil your purpose. This is exactly what is meant by the term ‘data minimization’, or limiting the collection of personal information to that which is directly relevant and necessary to accomplish a specified purpose. Particularly as the IoT continues to grow, organizations are faced with increasingly more ways to collect ever-more kinds of data, including (and especially) private, personally identifiable data. Instead of a ‘save everything’ approach, any good data-driven HR approach should embrace a data minimization policy, collecting and storing only what you really need. After all, data collection and storage cost money, and no HR team in the world has a bottomless budget. In addition, too many data (especially personally identifiable data) bring big risks. A major leak of sensitive personal information can easily destroy a business’s reputation or even land it in court. You can imagine how much more galling this would be if you did not even need the data that you lost in the first place!
Anonymizing data
When you have decided that you absolutely do need to collect certain data, one great way to minimize risk is to anonymize those data as much as possible. This means removing any personally identifiable markers that are not essential to the task at hand before you store and analyse the data. For instance, when Jawbone analyses the data it gathers about me while I wear its fitness band, those data are aggregated and any markers that link the data to me as an individual may be removed. Say, for example, you are analysing the performance of sales colleagues to identify the key traits of successful salespeople in order to inform future recruitment decisions. In this case, what you are really aiming to do is hire the best talent for your sales team and remove some of the guesswork from the recruitment process. If that is the goal, do you really need the data you gather to identify individual sales colleagues? Answer: not really. Obviously, it is not always possible or desirable to anonymize data and there will be times when the data do need to be linked to individuals. In these cases, it is vital you take the necessary steps, like encryption and other data protection measures, to protect that information.
Protecting and securing your data
Given the impact of data breaches, as outlined in this chapter, it is vital your data-driven HR strategy takes account of data security considerations, ie the need to prevent data loss and breaches. When you are dealing with personal data (as in data by which an individual can be identified), you are responsible for their protection and you need to take measures to ensure those data are secured. There are certain safeguards any business can put in place to secure data and prevent data breaches. Such measures can include encrypting your data, having systems in place to detect and stop breaches while they are happening and training your staff so they never give away secure information. Do keep in mind that data security is a specialist field and it is always a good idea to consult with a data security expert, either inside or outside your organization.
Key takeaways
I am well aware that we have covered a lot of information in this chapter and that data privacy, security and governance comprise one of the drier, less interesting aspects of big data. The following is a quick rundown of what we have covered in this chapter:
· The new EU regulation coming into effect in May 2018 – called GDPR, or the General Data Protection Regulation – enhances data protection and the right to privacy for EU citizens.
· As well as legal considerations, HR teams need to ensure their data usage sits within the company’s ethical boundaries, which generally means being transparent with employees about what data you are collecting and why.
· Data breaches can lead to huge losses for businesses in terms of legal costs and financial compensation, as well as the damage done to a company’s reputation.
· Data governance refers to the overall management and caretaking of data, covering its usability, integrity (ie making sure the data are of good quality and that you have the individual’s consent to use their data as you need) and security.
· Getting proper consent is a vital part of good data governance and, with the implementation of GDPR, is a strict legal requirement.
· HR teams should practise data minimization, which basically means gathering only the very essential data, ie data that can help to meaningfully improve the company and add value. Data also should be anonymized where possible.
· Measures to secure data and prevent breaches include encrypting your data, having systems in place to detect and stop breaches while they are happening and training your staff so they never give away secure information.
With transparent privacy policies and good data governance processes in place, and by keeping abreast of the latest regulations, there is no reason why any HR team cannot use data to its full advantage. This brings us neatly to the next part of the book, which looks at how HR teams can use data in practice across the various HR functions. Up first: data-driven recruitment.
Endnotes
1 EUGDPR [accessed 23 October 2017] GDPR Portal: Site Overview [Online] http://www.eugdpr.org
2 Mason, P (2015) [accessed 23 October 2017] The Spotify Privacy Backlash: What Is My Personal Data Really Worth? [Online] https://www.theguardian.com/commentisfree/2015/aug/23/the-spotify-privacy-backlash-what-is-my-personal-data-really-worth
3 Ek, D (2015) [accessed 23 October 2017] Sorry [Online] https://news.spotify.com/us/2015/08/21/sorry-2
4 Marr, B (2016) [accessed 23 October 2017] Big Data: How a Big Business Asset Turns into a Huge Liability [Online] https://www.forbes.com/sites/bernardmarr/2016/03/09/big-data-how-a-big-business-asset-turns-into-a-huge-liability/#5a5aa8917761
5 Sayer, P (2015) [accessed 23 October 2017] EU-US Safe Harbor Agreement Is Invalid, Court Rules [Online] http://www.cio.com/article/2989732/eu-us-safe-harbor-agreement-is-invalid-court-rules.html
6 PrivacyTrust [accessed 23 October 2017] Privacy Shield Certification [Online] https://www.privacytrust.com/privacyshield
7 Collins, E C, Ornstein, D and Tarasewicz, Y (2016) [accessed 23 October 2017] European Court of Human Rights Rules Employers Can Read Employees’ Emails [Online] http://www.internationallaborlaw.com/2016/02/09/european-court-of-human-rights-rules-employers-can-read-employees-emails
8 Wilt, B (2014) [accessed 23 October 2017] In the City That We Love [Online] https://jawbone.com/blog/jawbone-up-data-by-city
9 Goode, L (2013) [accessed 23 October 2017] Men Sleep Naked and Other Useful Stuff Jawbone Up Can Tell Us [Online] http://allthingsd.com/20131023/men-sleep-naked-and-other-useful-stuff-jawbone-up-can-tell-us
10 Mandel, E (2014) [accessed 23 October 2017] How the Napa Earthquake Affected Bay Area Sleepers [Online] https://jawbone.com/blog/napa-earthquake-effect-on-sleep
11 Hackett, R (2015) [accessed 23 October 2017] What to Know about the Ashley Madison Hack [Online] http://fortune.com/2015/08/26/ashley-madison-hack
12 Marr, B (2017) [accessed 23 October 2017] The Big Risks of Big Data in Sports [Online] https://www.forbes.com/sites/bernardmarr/2017/04/28/the-big-risks-of-big-data-in-sports/2/#4ea1879a6809
13 Davenport, T H (2014) [accessed 23 October 2017] What It Takes to Succeed with Big Data [Online] http://data-informed.com/takes-succeed-big-data
14 Gabel, D and Hickman, T (2016) [accessed 23 October 2017] Chapter 6: Data Protection Principles – Unlocking the EU General Data Protection Regulation [Online] https://www.whitecase.com/publications/article/chapter-6-data-protection-principles-unlocking-eu-general-data-protection