Today’s blog post about the potential of GDPR and HR comes from Roland Axten, Business Analyst at Inter-Ikea in the Netherlands
The potential of GDPR and HR for more effective information management in the workplace
It turns out we are supposed to know what we are doing. I’m sure many of us have suspected this was the case. But we are now becoming increasingly legally obliged to know our business, especially in HR. With the demands of privacy regulation and in particular the impending advent of GDPR (the General Data Protection Regulation) in the European Union we are obliged to not only know what we are doing, but also why, how much, who by, for how long and to various levels of classification. For organizations that have avoided documentation and process mapping or avidly follow the agile manifesto to focus only on creating this may well be seen as both a burden and an inconvenient imposition. In the case of HR, where our focus is on employee data, we are discovering how widespread that data insinuates across our business landscape.
So GDPR and HR – how do we get a grip on the employee data?
Our people are doing things, things we hired them to do, important things, things of business value and purpose but to achieve that, their information can end up being spread across our estate like butter and jam on toast. Many of us have been so busy keeping things going that the prospect of tracking where in our multiple ways of working our employee data is used could seem daunting or even overwhelming. Where do you even start? Increasing this challenge from an HR perspective is the issue of scope – utilization of this information goes far beyond the standard limits of HR activities. For many organizations this task will seem so great that reaching a state of compliance would be such a significant end in itself that the option of doing more would be out of the question. But there could be more beyond compliance. There may well be some significant benefits in understanding the where and why of our person data. Do we run the risk of not seizing the opportunity to aim for improvement by seeking only to deliver to privacy regulations?
The potential of going beyond just being compliant
Any endeavor in this area of employee information should certainly be coordinated with a systematic approach to personal data privacy. Especially as the core personal privacy elements are the same for all groups of data subjects such as employees, customers or suppliers, each could include: name, home address, bank account number etc. The definitions of these terms in our business must be consistent, not only for privacy assessment but for information management as a whole. Businesses that have already established effective information mapping will still need to secure the privacy dimensions such as governance and securing the rights of data subjects. Those of us who are not there yet can benefit from going the extra mile beyond compliance and secure an information lead aspect by systemizing our work. This would be a key component in augmenting a human approach to workforce management with scientific methodology. Systemics and taxonomy are foundation elements for good science, they enable relevant experimentation in the discovery of consistent best practice. As we seek to improve ourselves and our businesses surely, we should seek to utilize as many advantageous methods as we can. And now that we need to align GDPR and HR and do so much analysis of our employee information setup for privacy purposes let’s finish that job all the way to delivering business value beyond mitigating risk.
If we did make this investment in resources, time and effort what benefits could we achieve? As indicated earlier there are immediate values in building a balanced information structure: Process design is greatly improved because the information being used in and created by our processes is consistently and coherently described. Process descriptions are prone to quite some variety in how they depict our activities, even when they are produced in a professional and collaborative manner. We often have processes that are well described in terms of their internal functionality but are weak in effectively linking to each other. It is as if they are in different languages or accents. Where we apply consistency in the information elements of the processes this variance in style becomes much less of an obstacle in depicting the big picture of our enterprise. Along with stronger process design having a defined pallet of information content helps us to identify the combinations of information that we use in our business, the information “assets”. Defining these aggregate objects also requires comparability and consistency which is well served by a standardized model. The “use” of the asset comes from the process description and the “content” of the asset is made up from the information objects. This is both very useful for the privacy design to a high level of precision but to know the actual combinations that create business value in our ways of working can trigger insight and form the basis to effectively critique how we link and share our data. The decision on what words are chosen to create our information model is a reflection of our capabilities, our priorities and our culture. But we can go further than this rather inert application of our model, the model itself is passive but we can leverage it in combination with our other initiatives to deliver clarity to our whole business operation. To do this our ambition has to extend beyond defining the structure of our information to defining the information itself. A business glossary becomes both a key deliverable of information management and a valuable resource in improving how we work together effectively.
GDPR and HR: Move towards an integrated information architecture and deliver privacy by design
The possibilities of working well with information go further than creating artifacts and references. These can also be leveraged to improve our working methods. The most general benefit is a wide but consistent understanding of our enterprise. We can leverage this perspective to avoid the inefficiencies of planning in silos and for isolated objectives. Put simply, the full connection of our information needs to be understood to be exploited. I used the word asset earlier to describe groups of information with a certain context, the implied value here will not be achieved unless it is realized to maximum impact. One impact that is heavily reliant on understanding the full context is to deliver privacy by design. The design element here indicates a broad perspective and directed intention. Without this you can deliver privacy by default, but not by design. The relevance of our work is improved not only for managing privacy but also for every potential touchpoint we have with our employees. We can identify with greater purpose how we share our information and collaborate together. And it is this collaborative effort that will produce our best results. From practical measures such as shift planning through to sharing the creative development of our objectives we have the opportunity to improve how this is done, with real-time relevant information. Aside from the personal decisions involved with an “always on” work culture as a business we are obliged to secure the relevance and the immediacy of the data we share. Part of delivering this is to be certain about what is being shared.
So back to GDPR and HR: it seems we do need to know what we are doing, but how much do we need to know? There is a risk of going too far, the tone for good information design is balanced by clear visibility which provides business value. When we start working with our information in this way we need to allow ourselves to make mistakes, but we should challenge ourselves to assess and refine the tone of our work. We calibrate by doing it in the same way teams synchronize effort estimates in kanban planning – agility is a toning exercise to begin with. So let’s be ambitious and really start to know what we are doing.