Last year, every European business was talking about the General Data Protection Regulation (GDPR), which took effect in May 2018. Today, businesses continue to struggle to stay on top of a constantly shifting path to compliance.
Here to help is Marcel Pieters, specialist leader at Deloitte Consulting B.V. in the Netherlands. At Workday Rising Europe, we talked about what GDPR means, how it’s going for companies, and what advice he has to offer. Take a listen:
If you’re more of a reader, the transcript is below, edited for clarity.
Steve Dunne: GDPR may be the four most heard letters in European business this year. The comprehensive data regulation took effect in May 2018. Meant to harmonize a patchwork of existing EU data privacy laws, the GDPR has had far-reaching implications. And the compliance state was just the beginning, not the end, as companies need to stay on top of a constantly shifting path to compliance.
I’m Steve Dunne from Workday, and today on the Workday podcast, we’ll talk more about GDPR, what it means, how it’s going, and advice for listeners on how to approach it. To help us navigate this thicket, we’re joined by Marcel Pieters, specialist leader at Deloitte Consulting B.V. Welcome Marcel.
Marcel Pieters: Hello.
Dunne: We’ll start Marcel, if we can, with a brief background on your own journey and how you came to be at Deloitte and thinking about this topic of GDPR.
Pieters: Yes, so a brief introduction—my name is Marcel Pieters. I’m from Deloitte in the Netherlands, and have worked for Deloitte for almost eight years now. I got in touch with Workday two years prior to that, when I worked for an American company where we deployed Workday and loved the system, so I wanted to know more and hence, ended up at Deloitte and deploying since.
If I look at GDPR, it’s relatively new, but it’s also kind of old, so, like you mentioned, you had in Europe already a lot of loose regulations where some countries still were very tight and very strict; in other countries they were kind of loose, so I think it’s a good step forward. In my eight years at Deloitte, we saw that transition and we are now where we are.
Dunne: Perfect. And as you said, we’re six months on from the GDPR compliance date. Based on the many conversations you’ve had with European organizations, how are they performing in terms of GDPR and are there any regional differences across countries that you’ve noted?
Pieters: You see basically the countries where GDPR was already quite strict—like Germany with the work council, France, the Netherlands, and of course, Belgium—it’s not a big shift, it’s more putting dots on the “i.” But if you look at eastern European countries, southern Europe, complying to the law is sometimes already a challenge, so putting restrictions on top of that is an extra level. You see that they have some more challenges and that they struggle with it a little bit more.
Dunne: I think some of the cynics out there might kind of scoff at the idea that the European Union is going to start handing out fines to non-complying companies, but what do you think? Is that something that’s going to start happening?
Pieters: I don’t see that happening now; you see that a lot of countries are still in the transition. They got a lot of information, and they knew before that they needed to change something. But making this change is not always easy because if you have a very rigid system, then it’s very hard to make changes. So complying is done more after entering information into the system. So entering into the system allows you more than what you are allowed to report, so you see some patchwork and you see some small things. But I think until now there’s been very little noncompliance. I also think that [the European Union is] not going to give fines immediately, so if one year from now you still don’t have your act together, then you might be at risk. Normally with these kinds of big changes, they always give you some leeway and some slack to get it working. I think it will be a warning first, and then they will fine you. You will not be fined immediately.
Dunne: Diving in a little bit to the regulation itself—I think some of the criticism around GDPR has been that the language around it is confusing for ordinary organizations. Can you talk to us about the data rights for the data subject and what that means?
Pieters: It’s basically that the company needs to have a good reason for capturing the information they capture on you. So if they want to capture, for example, disability and it does not have any impact on your pay slip, it does not have any legal reporting to have that information in your system. Then the company doesn’t have a good reason to store that information, and that would be a reason for an employee to say, “No, I don’t want to disclose that information.” And the employee has the right to do so. If they don’t see the need for the company to have it and the company can’t explain why it needs it, then the employee can just say, “I don’t want to disclose it.”
And that’s the right you have as an employee. You have the right also to alter the information. At any point in time, you can change it to something else. A simple example is, of course, marriage. You can change [the status] if you want to, give that information, but you have the right as an employee to make a change and to give that information to your employer.
Dunne: Yeah, that’s interesting. And I think one of the biggest areas of confusion seems to be around how, when, where, and for how long you can actually store data. How does the right to be forgotten play into that idea?
Pieters: So the right to be forgotten is an interesting one because basically you never existed, but still the company wants to have you for trend reporting and stuff like that. That’s the balance where the employer has a lot of need to have the information and you, as an employee, can say, “I haven’t worked for you in the last five years; I don’t want you to have any record that I ever worked for you.” So that’s the right to be forgotten—if you are an employee and you were terminated. Also, if you applied for a job and did not get the job, companies can say, “We will keep you on file,” but basically you can say, “I don’t want to be disturbed anymore, I’m not available for you anymore.” That’s another one. But the challenge you have with the right to be forgotten is especially for the people who are already employed with you. What type of information can you delete while the person is still employed with you? And that’s what especially the current ERP system is struggling with because it’s not built to destroy anything—it’s built to keep the data for years and years and years.
Dunne: That’s very interesting. I think in terms of sensitive data that an organization might potentially want to share with other businesses in the future—say, if there’s been any misdemeanors, or something’s happened from an HR perspective why a person’s being removed from a company—how does that play into that? Because if there’s anything sensitive that needs to be kept for some reason, how would that be impacted?
Pieters: There are timelines for all of those things. If you had a misconduct, it’s not something you can keep for eternity. If you compare it to the real life: once a thief, not always a thief—and that’s also true if an employee did something wrong, you need to give them the benefit of the doubt. And if they performed well, their past shouldn’t block the employee from making their next move, and have that past information enable the next manager to say, “Oh yeah, seven years ago you did something wrong and for that reason I’m going to lay you off now.” That’s not allowed.
Dunne: There are probably listeners here who are still using on-premise software, and those who’ve made the shift to the cloud as well, but is there an optimum way of doing it? Even beyond cloud, what are the technologies that are ideal for GDPR?
Pieters: Is there an optimum way? There’s an easy way. I think with Workday or with another cloud solution, you already have the flexibility to have more control of your setup and make it a little bit easier. If you look at the configuration you can make, you can say, “I want to have these personal information fields only applicable for these countries, only allowed, or even mandatory.” You can configure that and put retention sheets on that one, so you can say, “I want to delete it after so many time at least.” They’re working on that purging process.
On-premise is a little bit different, because it was built to keep the data, but not to throw it away, so a little bit more difficult to have that in place. And also, if something is already in there, then most of the time it’s embedded in so many downstream systems that it’s also very hard to get it out again. Is there an optimum way? No. But you have ways to make it easier, and I think cloud solutions make it a little bit easier because there’s a distinction between your hardware and your configuration.
Dunne: I think there’s a lot of talk obviously about digital transformation, but GDPR is being viewed by many in a very negative sense. But is it actually leading organizations to make positive transformations around things like their HR infrastructure, for example? Is that a positive?
Pieters: So I think the good thing is that HR really needs to think and do a reset: Do we really need the data that we are capturing and what’s our purpose? So you see more and more, especially the bigger companies, that they have a GDPR officer, or at least someone who is specialized in GDPR and who is checking within the company: Are we fully compliant and are we able to explain to people and to ourselves why we need this information in this country at this particular time for this period of time? So if you have all of that information ready, then it’s easy to make your plan to move to GDPR, and otherwise, it’s kind of a patchwork of country access: Oh yeah, we need this and country-wise as we do this, so you see it now more combined to one function, which makes it easier.
Dunne: What advice would you give any listeners as they either embark on or continue their GDPR journey? Anything you’ve learned on your way?
Pieters: Don’t wait. Start as quickly as possible, and also don’t over-engineer it. In most cases, good is good enough, and if you’re not 100 percent sure, then just take it out for now and really go with your GDPR officer or someone else who has all this information to really find the answer if this is the information we need to capture. Start as soon as possible—it’s not something that can wait because, especially if you are embarking into a new transformation within HR, it’s so much easier to put it as part of your transformation than at the end say, “Oh by the way, did we fully comply with GDPR?”
Dunne: All right. That’s all the time we have for today. I want to thank Marcel Pieters from Deloitte for joining us at the Workday Podcast. If you’d like to hear more, please subscribe to our podcast. I’m Steve Dunne, and thanks for listening.