People analytics can help your organization make better decisions across many areas of the business. In order to have a real impact, though, people analytics tools need to be used widely. But when sensitive employee data is accessed by hundreds or even thousands of employees, how do you ensure compliance with privacy rules and regulations? It takes the right tools and education. Here, we dive into the details of both.
To roll out people analytics broadly, companies need to “productize” it. What do we mean by that? Simply put, productization is the process of scaling the use of the technology to the entire company. People analytics becomes a product when it is used by a whole range of decision makers in their daily work — not just by the HR department.
To succeed as a product, people analytics needs to fulfill these four criteria:
For this article, we will focus on the fourth criterion.
We recently sat down with Jan Joris Vereijken, chief architect at Crunchr, to talk about data privacy and people analytics.
A former chief security architect at ING with a Ph.D. in technical computing science, Dr. Vereijken is at the forefront of this challenging topic. He shared his thoughts on what companies should consider with regard to data privacy and security when scaling people analytics.
Even with the best technology solutions in place to protect sensitive employee data, privacy breaches still happen due to human error. It is why a two-fold education system is so important. First, there should be broad, company-wide, mandatory training covering the basic “do’s and don’ts” of privacy. Things like:
This type of awareness training – which can be a 30-minute presentation once a year – could be combined with the information security awareness training that is already commonplace.
Secondly, companies should offer deep and focused training on the GDPR requirements and privacy technology for the people whose primary roles involve data handling, including the Data Privacy Officer (DPO), the Chief Information Security Officer (CISO), and key roles in customer service and incident handling. This deep-dive training combines studying course material and one-on-one training on the job.
Unauthorized access to data is a common privacy breach. Companies can prevent this by implementing a Role Based Access Control (RBAC) system. This system very precisely defines what access rights a specific “role” has, and which individual has which role. A talent manager may have a role that allows access to all appraisal data, talent data, and succession data of employees across the whole company, but not to salary data, home address data, or absenteeism data.
In contrast, an HR business partner for a specific business unit may have a role that gives full access to all data fields, but only for the employees in that specific business unit, and not for employees in the rest of the company.
Choosing these roles is more difficult than you might expect. They should not be too broad and not too detailed. But do it wisely and you can (and must, according to the GDPR) reach a state where the RBAC system defines very accurately which people can see which data. Together with standard IT means, like passwords and encryption, the RBAC system helps ensure that the rules defined are properly enforced. Note that designing and operating an RBAC system is notoriously difficult and error-prone. Many companies that design in-house people analytics tools go wrong here, and it’s one of the reasons customers choose Crunchr.
Privacy compliance should be top-of-mind when it comes to choosing a people analytics solution. Here’s what an organization should be looking for:
a) A solution designed from the ground up to comply with the GDPR. You cannot bolt on privacy compliance afterwards;
b) A provider that offers people analytics as their main product, not a company that does people analytics on the side. Without this singular focus, they may miss the finer details of how to make the solution secure;
c) A company that takes security and privacy seriously, as evidenced by a dedicated security team, independent audit and penetration test reports, and good market credentials, including references from large corporate customers in regulated industries such as banks or insurance companies.
To harness the power of people analytics, scaling across the organization is essential. Unfortunately, that also involves privacy compliance risks. While it is not possible to avoid all risk — data hacks and honest mistakes will happen — following these recommendations from Dr. Vereijken is the best way to keep compliance high and threats low.
Crunchr was built in compliance with GDPR from the start, and offers best-in-class data privacy and security functions. Learn more in our free demo.
Head of Marketing