By | Hema Ravichandar | Strategic HR Advisory, former CHRO Infosys Ltd
With the personal data protection bill expected to be passed soon, companies will have to build a mechanism, led by the human resources team, around how they handle data
It was in 2017 that a plethora of mails in our inboxes informed us that we had the right to opt in to continue receiving updates from companies that had our personal data. Those same companies helpfully informed us that their privacy policies had recently been updated, courtesy the European Union’s General Data Protection Regulation (GDPR). For many of us, it was then that the concept of data privacy became something to think about.
Many Indian companies, however, did not see the need to change their data collection and processing practices. Till now. With the Personal Data Protection Bill expected to be passed by Parliament soon, Indian companies will have to design and implement a host of controls and procedures around how they handle personal data—not just of their customers, but also of their employees. In all of this, HR, the custodian of policies and culture, will have a significant role to play.
But in the second decade of the 21st century, when our data has gone to all corners of cyberspace, this is no longer acceptable to a growing number of people, and there is a pressing need for guard rails to be put in place. There needs to be a shift in the culture of organizations to place the sanctity of personal data of the employee at the centre, and HR is perfectly placed not only to manage the data of its key customer, the employee, but also to create an ethos of data privacy.
How will employee data be collected, stored, analysed and destroyed? How will these processes be communicated to the employee? What protocols are required when sending employee data outside the organization, or even abroad?
Employees who manage the data of clients, fellow employees or partner organizations will need to be aware of and trained on their obligation to protect data zealously. A small error on the part of the employee can ring the death knell of an organization, especially in an era when companies have faced huge fines and government attention over data breaches. Grievance, breach and redressal mechanisms will need HR attention.
Videos that disseminate the whats, whys and hows of data privacy in the organization will empower employees and allow them to make informed choices. Employment contracts, non-disclosure agreements and policies will need clear messaging. When employees exit the organization, there should be a system for how long that data is stored, and a system for employees to access and download their data.
Data audits will be vital: what information about the employees does the organization have? Why has it been collected? How much of it is needed? What will you use it for? Would you give it to third parties? What kind of controls will you impose on those third parties? How will you ensure they destroy the data once it is no longer needed? For example, in the case of common benefits like health insurance, who collects health data from employees?
Ethics take centre stage
HR maintains and handles sensitive data of employees on a large scale, whether it is potential or current employees, and it ranges from data on health and sexual orientation, marital status and family members to salaries and performance appraisals.
The culture should be such that they feel responsible to protect data, and have the right tools and processes to help them do so.
A case for business ethics comes alive. Organizations will now require a multidisciplinary task force that comprises legal expertise, data protection officers and HR, who will check compliance and be the point of contact for the government or other bodies. Also, the team in HR that manages analytics will need strong training to be up to date with the relevant laws.