GDPR forces a rethink on who owns HR data

The GDPR is the toughest piece of data privacy legislation to date that puts data firmly back in the control of the individual and Australian businesses will need to adapt

The introduction of Europe's new data protection regulation, the General Data Protection Regulation (GDPR), is one of the most comprehensive pieces of privacy legislation to date, but many Australian businesses incorrectly assume that it doesn't apply to them. Gartner research predicts that more than 50 percent of companies are unprepared.

The consequences of non-compliance are severe with fines of up to €20 million or 4% of their total annual turnover (whichever is greater) not to mention the reputational risk at stake.

While the Facebook Cambridge Analytica scandal was a warning shot to companies whose revenue model hinge on the collection of external user data, the GDPR impacts businesses more broadly as it encompases the processing of personal data of employees - especially HR data.

Australian businesses of any size that hold, control or process personal data of EU resident employees or customers regardless of the business' location will need to comply with the GDPR. This may include employees that have been seconded to Europe or an Australian database that maintains a record of expatriate candidates from European countries.

If your business isn't in-scope for GDPR, it soon could be with the Senate recently supporting a Greens motion calling for Australia to adopt stronger privacy protections in line with the EU's GDPR.

Regardless of where your business falls, you should be prepared. Businesses need to be mindful now more than ever of the data they collect, the reasons why they collect it, who is responsible and where and how it is stored.

The GDPR aims to give individuals more control about what data organisations keep about them and how it is used and protected. It goes beyond many of the requirements of Australia's current privacy laws as it gives individuals rights of access, erasure and transfer of their personal data online.

For instance, an individual can demand that their former employer remove their data and unless the organisation has a legal basis for keeping that data (such as for tax purposes), it must be removed securely within designated timeframes and with evidence of having done so.

While the GDPR is not explicit on ownership of personal data, the spirit of the GPDR is a rights based approach of the individual which is more consistent with the position that the individual owns the personal data.

This means that companies who create and maintain employee records within the confines of their organisation may need to reevaluate their mindset surrounding ownership of HR data.  It involves asking hard questions and moving away from the notion that because they've invested the necessary resources in acquiring and maintaining employee records, they automatically own the data and can do what they want with it.

Another requirement of the GDPR is that the employee data needs to be processed in a way that maintains its accuracy, leaving very little room for data that could potentially be out of date. This leaves companies who are using their own bespoke systems and who don't have the appropriate checks and balances in place at risk.

Companies will eventually relinquish the burden of maintaining employee records and instead move towards a centralised and trusted repository of people information that enterprise organisations can use collectively. Regulations such as the GDPR that assign more rights to the individual on the control and protection of their personal data will only accelerate this transition.