On the 25th of May 2018, the world of People Analytics changed. On that date, the General Data Protection Regulation (GDPR) was applied by the European Union. The GDPR sets out requirements for organizations on how to collect, store, and manage personal data. In this article, I will examine the impact of GDPR on People Analytics.
The GDPR applies to both European organizations that process data of individuals in the EU and to organizations outside the EU that have data on people from the EU. As this data includes both employee and customer data, almost all international corporations must deal with the GPDR in one way or another.
Personal data is information about an identified or identifiable person. It can include data like names, addresses, ages, income information, and cultural profiles. For those working in People Analytics, this is a challenge: pretty much all the data you have is about an employee in your company. But while some of the people in your privacy or law divisions might want to make you believe otherwise: you can still do your job in People Analytics.
GDPR was not introduced to prevent you from doing your job, it is there to make sure you process data in a fair and lawful manner. It should have a specified and legitimate purpose and you can only use the data that is necessary to fulfill that specific purpose. You need at least one of the following conditions to process personal data:
- The consent of the individual
- A contractual obligation to process the data
- A legal obligation
- The need to protect the vital interests of the individual
- To carry out tasks in the interest of the public
- To act in the legitimate interests of your organization
Data Usage Board
At Dutch Railways we have (had) a lot of discussions about the use of data in HR and whether we can use the data for our analyses.
We have several measures in place to make sure we use data in a way that ensures the GDPR is applied in the right way. We have a body called the Data Usage Board (DUB). Anyone within the company that wants to use data (secondary data for new purposes) needs permission from the DUB to process that data. To get that permission, you need to submit a Data Usage Request (DUR). The DUR will be checked by the DUB on several disciplines like privacy, competition, information security, data management, and transparency.
Every discipline has a representative in the Data Usage Board. Should the DUB decide not to agree on the Data Usage Request, they will advise on how the processing could take place in a different and suitable way. All data processing is registered. With the experiences we have had through the last couple of years, it is possible to submit your DUR on Tuesday and have a verdict by the DUB the next Tuesday. So you need about a week to get your permission, which is not bad in a large company like Dutch Railways (20.000 employees).
Data Champions & Definition Stewards
We have also implemented a new role: that of the Data Champion. Throughout the company we have Data Champions who do this as part of their existing jobs.
Data Champions are trained to be ambassadors for the privacy of both customers and employees of Dutch Railways. They also need to promote awareness about privacy within their own business unit. Of course, knowledge of the rules is needed and they are the first go-to for our Privacy Office.
Our HR department has three data champions, one of them is a member of the People Analytics Department. And it works! Whenever there is something unclear about the data we use, we contact our Data Champions without the need for a more formal Data Usage Request. The member of the People Analytics department is also our Definition Steward. A Definition Steward has knowledge of data objects, how to calculate KPIs, and the use of the correct terms in processes, in this case, HR processes.
It is safe to say that Dutch Railways has well-considered governance when it comes to the GDPR. You can imagine that it took some time to get there. During this time (and to this day) we have had pretty strong discussions when People Analytics wanted to do an analysis and the DUB thought we could not do it because of GDPR.
Over the years we have also learned to put trust in the fact that both People Analytics and the Data Usage Board have the same interests. We have learned not to see the DUB as our opponent, which makes working together much easier, in a compliant way. And over the years we as a People Analytics team have shown that we do not betray the trust when given the permission to do an analysis.
GDPR should not be a burden
In conclusion, GDPR helps to make sure that what you do is thought through and that you have taken the right measures to assure privacy and data safety. To enable the People Analytics team to give answers to business questions faster, we have also implemented a framework that shows what kinds of analyses we can do without going through the DUB. This mainly includes analysis of data that an HR Business Partner already has in his possession. The framework has explicit rules for three groups: HR Business Partners, HR Centers of Expertise, and business managers. Each group has a different level of detail on which can be reported. The framework saves time on both ends and enables fast, data-driven decision making.
Because we have the governance in place at Dutch Railways, we were able to agree on analyses that we can always do without going through the DUB process. That saves time on both ends and helps us with the most important thing: we can give answers to business questions faster!
I hope that this article shows you that GDPR should not be a burden. Not in general, and not for People Analytics. You can still do your analyses and with the right governance in place, you can do so without jeopardizing people’s privacy.