#42 Data Privacy and HR: Best Practices for Compliance
Data privacy is crucial for people teams to protect job applicants' and employees' personal data. Compliance with data privacy laws is necessary to avoid fines and reputational damage. ⛔🥚🫠
Without doubt, data privacy is an important, but often ignored issue. People Ops departments are absolutely no exception and are likely a prime target for anyone with malicious intent. With the rise of data breaches, fines from the ICO in the UK and increased scrutiny of privacy practices, people pros must be well-versed in data privacy laws and how to become and stay compliant.
In this newsletter, we'll explore the intersection of data privacy and People Ops and provide best practices for ensuring compliance.
Understanding Data Privacy Laws
The first step in ensuring compliance with data privacy laws is understanding the laws themselves. In recent years, a number of regulations have been enacted that impact People departments, such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States.
The GDPR is one of the most far-reaching data privacy laws in the world, it's also a massive pain in the ass as it applies to any organization that processes personal data of EU citizens, regardless of where the organization is located, it's size or industry. GDPR requires organizations to obtain explicit consent for data processing - positive opt-ins only. GDPR also specifies that individuals have access to and can control their data that you look after, and you must report data breaches within 72 hours.
The CCPA, on the other hand, is a bit less of a hassle. It applies to organizations that do business in California and have annual revenues of $25 million or more, collect data from at least 50,000 consumers, or derive at least 50% of their revenue from selling consumer data. The law gives California residents the right to know what data is being collected about them, the right to request deletion of that data, and the right to opt-out of the sale of their data (similar to GDPR).
In addition to these laws, there are many other data privacy regulations that may apply to People departments, depending on their location in the world and the nature of their business. It goes without saying that it is essential that you familiarise themselves with these laws and ensure that your practices are in compliance. The last thing you want is the government to come a'knocking.
Best Practices for Compliance
Once you understand the data privacy laws that apply to their department, you can take steps to ensure that your business and your employees can remain compliant. There are many ways to do this, from sorting it out in-house, to finding a supplier to do it on your behalf. But here are a few best practices:
Obtain Consent for Data Processing
This is probably the most important for most companies. Under the GDPR, organizations must obtain explicit consent for the processing of personal data. This means that individuals must be informed of how their data will be used and give their consent before any processing takes place. You can't use 'uncheck this to stop us emailing you', or 'use of our website means we can send you sales emails' kind of mechanics. If you use their data (including browsing data for example), for analysis or anything like that, they need to be informed.
To obtain consent, you should clearly communicate to job applicants and employees what data will be collected, how it will be used, and who will have access to it. This information can be included in a privacy notice or other written agreement. There are reasons of "legitimate business interest" to capture and use data that doesn't need consent (for example, you need their bank details and address to pay them and send them things), but if you don't have a compelling reason to have this stuff, you shouldn't have it.
Implement Appropriate Data Security Measures
One of the key requirements of data privacy laws is the implementation of appropriate security measures to protect personal data from unauthorized access, disclosure, or loss. In the ISO27001 Information Security world, data loss is categorised against it's confidentiality, integrity and availability (CIA). You should ensure that you're paying close attention to the CIA of the data you capture and store about your employees.
You should ensure that personal data is stored securely, such as through encryption or password protection, and that only authorised staff have access to it and that access can be monitored and audited. You should establish protocols for reporting data breaches and responding to incidents quickly. I know how we people folk love a policy, but these ones are super important and you’ll be thankful you worked all this out up-front when the worst does happen.
Provide Access and Control of Personal Data
Under the GDPR, individuals have the right to access and control their personal data. You should make sure that job applicants and employees can easily access their data, such as through a self-service portal or request form. It can be a manual process if your volumes are low, but consider using some software or an online tool if it becomes a burden. There's an expectation that any request you receive from someone should be satisfied within 30 days.
Also, people should have the ability to request corrections or deletions of their data. You should establish processes for handling these requests and ensure that they are handled quickly - again, at most within 30 days.
This can be a pain as you may often find data about an individual spread through several systems, stored in spreadsheets, emails etc. It's useful to use an ATS and stick to communicating in there, especially if you get a lot of Data Subject Access Requests (DSARs)
Train Employees on Data Privacy
To make sure everyone knows the law, employee training is an essential part of ensuring compliance. You should absolutely provide training on data privacy laws, as well as the department's policies and procedures for data security and privacy. This should happen from day one and be part of onboarding. Continued training - in the form of refreshers or quizzes - should also be used liberally. The ICO and other government bodies won't be pleased if you use ignorance as a defence against mishandling data or committing a breach.
Training should be provided to all employees who handle personal data, including people staff, hiring managers, and interviewers. It is important to ensure that employees understand their responsibilities and the potential consequences of non-compliance, which include massive fines, reputational damage and sleepless nights for those in authority!
One of the best ways to help your people think about data privacy is to frame the data differently. Explain how your organisation doesn’t own it’s customers data, you’re just looking after it for them and, as if you were looking after their jewellery, TV or other valuables, guard it appropriately from malicious activities.
Review and Update Data Privacy Policies
Another painful aspect of data privacy is that the laws are constantly evolving. As people pros our departments must keep up-to-date with the latest requirements and best practices. We should regularly review our data privacy policies and procedures to ensure that we are in compliance with the latest laws and regulations. Another yawn-fest, but an important nonetheless.
When we find changes or additions to laws, we need to be prepared to update policies and procedures as new laws are enacted or as the business environment changes. Let's say you want to branch out into a new country, or open an arm of the organisation in a different industry - you'll need to work with legal or compliance professionals to ensure that policies are up-to-date and meet all legal requirements, for both the existing business and the new bit.
Pay Attention, Avoid Fines (and egg on your face)
Data privacy is a critical issue for people ops people, and compliance with data privacy laws is essential for protecting job applicants' and employees' personal data. We must familiarize ourselves with the laws and best practices for becoming compliant and maintaining and ongoing compliance stance. It's hard work and a bit of a faff at times, but you'll be richly rewarded with absolutely nothing bad happening, zero fines and not being accountable to anyone for breaches of the law.
Classifieds
I’m still trying a new thing - classifieds - to see if there’s any interest in products from the wider #hashtagpeople and #peoplePost communities. Having a link in this slot is free for four weeks (or until I work out the best way to do this). So let me know by reply (or fill in this form) if you’d like a 180-character, one link classified!
Performance reviews are a hassle. With WorkStory, save your team time by collecting feedback automatically using the tools you already work with like Slack, Teams, Webex, or email.
"Why did I do that?!" We often regret our emotional reactions: Shouting, procrastinating, not saying "No"... Get on good terms with your emotions - get Ahead, your EQ pocket coach!
Jobs
Trying another new thing. Someone got in touch to offer me a personalised jobs board with people-flavoured roles, so I thought I’d give it a spin. Happy for any feedback you have on this.