PoPI and GDPR – a forgotten essential in HR

Jun 11th, 2018

Gary Allemann, MD at Master Data Management

The Protection of Personal Information Act (PoPI) in South Africa and the General Data Protection Regulation (GDPR) in the European Union, have shone a light on the importance of protecting valuable personal information. However, while the focus has predominantly been on data belonging to customers, it’s important to also bear these legislations in mind when it comes to employee data, too. In fact, as Gary Allemann, Managing Director at Master Data Management, points out, employee data can be some of the most sensitive information that a business can possess.

The impact of PoPI and GDPR on HR

“Human Resources (HR) departments deal with incredibly sensitive information,” says Allemann. “Employee files contain salary information, banking details, credit and criminal records – if any – and also medical information, including data on mental health or, in some cases, HIV (Human Immunodeficiency Virus) status.”

The information that Allemann talks about is typically very personal, often more so than the relatively basic data that organisations store on their customers and other contacts. Apart from protecting this data from external exposure, it also needs to be kept safe from internal access or distribution, including that of unauthorised HR personnel.

Considering the pending legislature, Allemann says, “Employee data has always been sensitive, so most organisations already have stringent security measures in place. However, today’s human capital data environments are more complex than ever before, with multiple platforms and layers adding to the complexity.

“Keeping track of the ebb and flow of HR data can be a challenge, especially with PoPI and GDPR demanding that organisations show transparency in the management and security of their data.”

The governance role

The complexity of HR data environments that Allemann alludes to is caused, in part, by the increasing uptake of cloud and hybrid environments. HR data is moved across these platforms – different clouds, different countries, internal and external environments – daily, and used for various processing purposes. There are a number of cloud-hosted HR, payroll and workflow tools that integrate with an organisation’s own in-house systems, wherever they may be hosted.

“Businesses have to have a clear understanding of where their data is at any given time, as well as who is accessing it, for what purpose and whether or not it is adequality secure,  at rest or in transit,” Allemann affirms. “This becomes a big challenge, which governance can help to address.”

Governance becomes a critical component of managing HR – and all – data. Helping to define policies, processes and security measures around data, governance ensures that data is properly classified and used only for the purposes it is intended and by the people who may use or access it.

Says Allemann, “Within an HR department, not everyone needs to access all aspects of an employee’s information. A commission payment, for example, would only require access to an employee’s hours, commission structure, sales data and banking information.

“Data such as their medical record or even salary details would need to be kept privileged unless it plays a role. Proper governance would ensure that the right process is followed, every time.”

An opportunity

According to Allemann, GDPR and PoPI should be viewed as an opportunity for organisations to take inventory of their HR data and ensure it is being governed and managed properly.

“Apart from the financial ramifications, non-compliance with regards to protecting HR information can also have as significant an impact on a business and its reputation as not protecting customer data,” he says.

“Dissemination or leaking of privy employee information can create company discord through disgruntled employees and a reputation as a business nobody wants to work for. That said, employees who understand what could go wrong within their environment may be inclined to be more forgiving than a customer, who will simply take their business elsewhere. The right governance policies will not only minimise the risk of data loss, but also allow for employees to understand how their own data is managed and how to handle any possible breaches, leaks or errors.”

While building a governance policy can address legislative requirements, it also helps to streamline. Allemann says that organisations can take the chance to dispose – securely – of outdated or irrelevant employee data, move to more digital environments if not yet done, update their records, avoid duplications and ensure that their data is being used for the right, most sensible purposes.

“PoPI and GDPR gives organisations an opportunity to step back and evaluate their HR function, ensuring its data is secure, classified, compliant and working for the company,” concludes Allemann.