European Data Protection and the Path to GDPR Compliance

How prepared is your business for May 25, 2018? While most organizations have some awareness of the European Union’s passage of the General Data Protection Regulation (GDPR), many more are still figuring out how to prepare for these new rules. At Workday Rising Europe, Jeremy Baker, affiliate professor at ESCP Europe business school, outlined how organizations can get on the road to success for GDPR.

As a quick refresh, GDPR is a legal mandate that affects the way companies store and manage EU-based individuals’ personal data, including basic identity information, racial and ethnic origin, genetic and biometric information, and even their political opinions. It was designed to harmonize the patchwork of European data protection laws.

According to Professor Baker, to comply with GDPR, companies need to inventory their personal data and ensure it is stored in a secure environment. They also need to determine who in their organizations needs access to which categories of personal data and put in place controls to manage that access. “Businesses will have to start by searching for and accumulating all personal data they already possess and then storing it securely,” he said. “Then they will need to design and update rules on how they manage such data.”

“HR’s role will encompass not just communication, but also training and change management across all business units.”

With maximum penalties for non-compliance ranging up to four percent of an organization’s annual revenue or a maximum fine of €20 million, it’s not surprising the average Fortune 500 company will spend $16 million on GDPR preparations, according to Professor Baker.

HR Central to GDPR Success

In his session, Baker said the role of the HR professional is crucial to GDPR readiness. He stressed the importance for HR professionals to communicate the benefits of implementation to all company personnel and to clarify employees’ roles and responsibilities. He also cited the need for HR to identify which technology is best to help them deal with GDPR compliance, including the role of cloud providers, like Workday, in meeting these needs.

“HR’s role will encompass not just communication, but also training and change management across all business units, such as IT and legal. As well as pushing back on resistance to change, HR will need to figure of incentives to ensure employee engagement,” he said.

Baker highlighted qualitative research he’s conducted with organizations currently working towards successful GDPR compliance. He said that developing an action plan, performing a gap analysis of where the organization is versus where it should be, and updating key processes and procedures to ensure compliance are three tangible steps forward-looking companies are taking right now. On a more philosophical level, Baker stressed the importance of optimism across the business and a focus on how the tough path to GDPR compliance will ultimately bear fruit for the entire business.

“We only need to look at the Sarbanes-Oxley act that pushed companies towards organizing their financial data. Compliance was a nightmare back then, but now they could not live without it,” said Baker. “This is an opportunity to move in the right direction. It puts data in the spotlight, offering improved data management and insights and the chance to rethink how you acquire, store, and maintain data.”

“There is an inherent fear of making a mistake that is pushing companies to focus on finding the right technology supplier.”

Fighting Fines with Fire

According to Baker, the threat of fines for non-compliance have helped some organizations negotiate more resources to face the challenge of GDPR. “Our interviews show that there are worries about the cost of acquiring and maintaining a data management system. HR professionals are not IT experts, therefore good collaboration with IT is a prerequisite. There is an inherent fear of making a mistake that is pushing companies to focus on finding the right technology supplier,” said Baker.

The road to GDPR compliance will also have other benefits for HR, according to Baker. Discussing the long-term impact on HR, he talked about how the focus on data would allow HR to become more strategic, providing many more data points around engagement and diversity. Businesses going through the process of meeting GDPR compliance will boost not only productivity and performance, but also increase trust with employees and customers that comes from being a privacy-centred organization.