Importance of data security with focus on compliance
Every company that owes its performance in the market to the management of valuable data knows the dangers of breaches in data security. The commercial and reputational damage of failing to protect customer data can be seen with the briefest searches of the newspapers, as the number of high-profile data breaches continues to grow. Now, regulators are acting to create common ground across international borders by defining the responsibilities of organisations in regard to data protection.
From mid-2018, the General Data Protection Regulation (GDPR) will govern the processing of data by organisations within the EU and entities outside the region that offer goods or services to individuals in the EU and the UK. The move is an attempt to harmonise the rules across international borders, and it will involve a lot of work to understand how it differs from existing local regulations.
"Data has always been at the heart of our business. HR professionals work with data on a daily basis. Our customers expect their data to be safe, and they are right. Long before GDPR, we had already started a journey of taking the right steps to protect customer data and to ensure that they were well aware of what was happening. With GDPR, we continue that journey and we enhance the measures we are taking to ensure that we are fully compliant by May 2018," says Steven van Hoorebeke, CEO of SD Worx.
"There is a lot of uncertainty. HR professionals don't really know what is in it for them, or what they have to do. That is why we are organising a lot of information sessions and workshops to let people know what their obligations and responsibilities are. Everybody will be ready when GDPR comes into force," he says. "Everyone has to understand not only the security measures that are in place, but also individual data rights. So it must be in the DNA of HR professionals. If they don't take the right measures, it can lead to severe penalties, but we see GDPR as an opportunity. By taking more care and protecting data, we can really raise the bar."
SD Worx is one of Europe's leading HR services and payroll companies. It services more than 63,000 organisations of all sizes, and every month it calculates more than 4.3 million salaries. Its corporate ethos is based on international growth, customer-centricity and digital leadership, which necessitates a forward-looking approach to data security and regulatory compliance. It has already sought external certification with the System and Organization Controls Report (SOC 1), and it believes its approach to GDPR is robust.
"If you are running a successful business in this industry, then data is crucial. So we have always been heavily focused on data security. But with GDPR, we must enhance all of the measures we take so that our customers can rely on us. Our strength is our people - our IT people, our payroll clerks and HR professionals - and we feel confident, which is why we have external auditors looking at all of our processes and we are fully SOC 1-compliant. We feel comfortable with our progress towards GDPR compliance," says Van Hoorebeke.
"GDPR will bring the whole of society to a much better place in terms of data protection. It gives control of data back to people, so the most important actions are to focus on the data and take a people-centric approach, to take care when you are analysing and distributing data, and to think about its external exposure. Know what you are processing, with whom you are sharing it and how you are protecting it."
A matter of trust
The detail of GDPR may be similar in many ways to the laws currently in place in the EU. To a large extent, it is comparable, for instance, with the UK Data Protection Act (DPA) of 1998, which also applies to personal data. But there are differences in the details that must be understood. For example, GDPR makes it clear that an online identifier such as an IP address can also be considered personal data. In this way, GDPR reflects changes in technology and in the way that organisations collect personal information.
"We have more cybersecurity problems in a data-driven world. The number of high-profile data breaches is rising, and so is the number of data records involved in those attacks. Here, we are convinced security and privacy measures will become more important than ever before," says Gert Beeckmans, chief risk and security officer at SD Worx.
"We must do more to protect people's data, and GDPR can be an important catalyst for doing so. Customers trust us with their data, which is one of their most valuable assets. We want to make sure they can be confident their data is safe with us."
Beeckmans adds, "When it comes to data privacy, we want to be transparent about how we collect and use customer data, and about the measures we take to protect it. We will continue to invest in our data security measures and be compliant with the law. GDPR is about giving people back control over their data, so you need to have a data-centric and people-centric approach.
"You must understand people's rights and be able to explain them. Our customers are still uncertain how they should prepare for GDPR, and they are struggling to create an action plan for compliance and we want to be able to help them with that. We want to take the lead in the industry and share best practice."
One key part of the education and consultation efforts of SD Worx will be to highlight the differences between GDPR and local regulations, but another will be to highlight the potential benefits, as well as the risks. GDPR is, after all, a way of simplifying data protection processes for international companies.
"For me, what I see with GDPR from my international experience is a huge alignment of regulations, which were quite different around the world. That is a big advantage for global companies, because they can follow the same rules everywhere. That brings transparency to how we are managing data. GDPR attempts to align the rules between different countries, which means that the way we manage the data will be the same at the end," says Jean-Luc Barbier, international managing director at SD Worx.
Unearthing the opportunities
GDPR brings many obligations, such as the need for controllers to notify supervising authorities of a data breach within 72 hours, and it is often viewed through the lens of the regulatory burden and the risks of non-compliance.
Barbier, however, has a more positive outlook. "GDPR is not a risk because most big companies are using service providers like us, thus the only risk is to do nothing. There may also be a risk with timing, but everyone will follow these rules and will clarify how HR professionals work with client data. GDPR is a chance for professionals to play a big role. We know very well how we have to align data at a global level, but we also understand the current status of the data at a local level, so we can bring a lot of value," he remarks.
"For clients, GDPR also brings internal alignment, which will in turn create more efficient and reliable data processes. From our perspective, we can help them at a global and local level to ensure that everything is properly aligned."
GDPR is knocking at the door, and the finance, payroll and HR industry has no choice but to let it in. With the right planning and advice, it is possible to ensure that it takes us to a better place.