The internal impact of GDPR.
From May 2018, it’s not just customer data you need to consider.
We all know that GDPR is coming. Soon. But did you know that it affects your employee’s personal data, as well as your customers’?
Many companies are focusing their GDPR programmes on consumer data, but from May next year, your staff will have the same rights too. So all those bits of personal data you collect about your workforce – stored across different systems and spreadsheets – could be called for at any point. Would you be able to respond?! When you think how much personal data you generate yourself through your career, it might set off some alarm bells. But where do companies need to begin? The first question to ask is “what constitutes employee personal data”? You need to know what you’re looking for. Aside from the obvious – name, address, date of birth, marital status, tax bracket etc – you’ll likely hold their salary history, dietary needs, visa status, driving licence info and much more. Think about it from an ‘employee lifecycle’ perspective. Prior to interview, they would have submitted something in advance – a CV, an application form, a letter, a test perhaps. This would have contained personal data. And when they visited, did you capture any ID? All of this could be requested under GDPR. As staff move through their career, you’ll collect a lot more personal data. Training courses, secondments, international travel, expense claims, parental leave, performance reviews – everything will be recorded somewhere. Under the new regulations, you could be asked to show how and where you’re storing that data. That’s when a lot of companies get concerned. Because personal data is most likely laying across a whole raft of locations – some digital, some physical. Those systems probably aren’t linked either, so you could have multiple versions of the same data. Not to mention all the duplicates, emails attachments and printouts people are holding on to. This makes it really challenging to get a compliant company-wide view of all the personal data you hold. Even if we imagine that all those issues have been addressed (everything is in place to satisfy the regulators that you can locate personal data if needed), things don’t end there! GDPR raises a whole series of questions around the security of personal data. How are you keeping it protected over time? How do you ensure the right people have access to it? How do you prevent potential misuse of that data? There’s a wider compliance issue to consider too. Because GDPR is an EU regulation, you need to understand the effect of sharing employee data with other territories. There are many considerations. At ADP, we recognised early on that GDPR was going to have a broader impact than just consumer data. That’s why, in 2016, we applied for three sets of Binding Corporate Rules to govern how we manage the personal data of our, our business contacts and our staff. These are recognised as the best path for compliance with GDPR. One of the tools our find particularly helpful when preparing for GDPR is this employee lifecycle map. It helps you to map out where your employee data is currently stored, and to consider the different scenarios you might be facing come May next year. While GDPR is not far away now, there’s still time to get your internal data practices ready. Do take a look at the map and get in touch if you’d like to discuss how ADP can help further with your compliance programme.
Many companies are focusing their GDPR programmes on consumer data, but from May next year, your staff will have the same rights too. So all those bits of personal data you collect about your workforce – stored across different systems and spreadsheets – could be called for at any point. Would you be able to respond?! When you think how much personal data you generate yourself through your career, it might set off some alarm bells. But where do companies need to begin? The first question to ask is “what constitutes employee personal data”? You need to know what you’re looking for. Aside from the obvious – name, address, date of birth, marital status, tax bracket etc – you’ll likely hold their salary history, dietary needs, visa status, driving licence info and much more. Think about it from an ‘employee lifecycle’ perspective. Prior to interview, they would have submitted something in advance – a CV, an application form, a letter, a test perhaps. This would have contained personal data. And when they visited, did you capture any ID? All of this could be requested under GDPR. As staff move through their career, you’ll collect a lot more personal data. Training courses, secondments, international travel, expense claims, parental leave, performance reviews – everything will be recorded somewhere. Under the new regulations, you could be asked to show how and where you’re storing that data. That’s when a lot of companies get concerned. Because personal data is most likely laying across a whole raft of locations – some digital, some physical. Those systems probably aren’t linked either, so you could have multiple versions of the same data. Not to mention all the duplicates, emails attachments and printouts people are holding on to. This makes it really challenging to get a compliant company-wide view of all the personal data you hold. Even if we imagine that all those issues have been addressed (everything is in place to satisfy the regulators that you can locate personal data if needed), things don’t end there! GDPR raises a whole series of questions around the security of personal data. How are you keeping it protected over time? How do you ensure the right people have access to it? How do you prevent potential misuse of that data? There’s a wider compliance issue to consider too. Because GDPR is an EU regulation, you need to understand the effect of sharing employee data with other territories. There are many considerations. At ADP, we recognised early on that GDPR was going to have a broader impact than just consumer data. That’s why, in 2016, we applied for three sets of Binding Corporate Rules to govern how we manage the personal data of our, our business contacts and our staff. These are recognised as the best path for compliance with GDPR. One of the tools our find particularly helpful when preparing for GDPR is this employee lifecycle map. It helps you to map out where your employee data is currently stored, and to consider the different scenarios you might be facing come May next year. While GDPR is not far away now, there’s still time to get your internal data practices ready. Do take a look at the map and get in touch if you’d like to discuss how ADP can help further with your compliance programme.
About Cécile Cécile Georges is the Global Chief Privacy Officer (CPO) of ADP. She has led the Privacy and Data Governance Team, which is part of the Global organization, since December 2016. The Team provides advice and operational guidance to all ADP business units globally, and is responsible for the design and implementation of ADP’s enterprise-wide compliance programs with respect to the protection of personal information.In her previous role as the lead lawyer for the Asia-Pacific region, Cecile relocated from Paris, France to Singapore, where she supported the geographical expansion of ADP in the Asia-Pacific region. Cecile joined ADP in 1999 and was instrumental in building the Legal function. In 2006, she was appointed as the head of Legal for and was promoted to VP, Assistant General Counsel. In 2011, her scope was expanded and she was responsible for all of Employer Services International Legal. Cécile has always been focused on the development of performance-driven teams that deliver excellent services to the business and ADPCécile holds a Magistère (Masters) in Information Technology Law and passed the Paris Bar.