People analytics can help your organization make better decisions across many areas of the business. In order to have a real impact, though, people analytics tools need to be used widely. But when sensitive employee data is accessed by hundreds or even thousands of employees, how do you ensure compliance with privacy rules and regulations? It takes the right tools and education. Here, we dive into the details of both.
Productizing People Analytics Company-Wide
To roll out people analytics broadly, companies need to “productize” it. What do we mean by that? Simply put, productization is the process of scaling the use of the technology to the entire company. People analytics becomes a product when it is used by a whole range of decision makers in their daily work -- not just by the HR department.
To succeed as a product, people analytics needs to fulfill these four criteria:
1. It should be intuitive. For non-data savvy users in particular, a tool needs to be easy to use;
2. It should provide guidance. Users want to be able to quickly analyze data and understand the results;
3. It should offer help. Some users will need assistance getting up to speed with the help of an online learning portal, for example;
4. It should have an advanced authorization model to ensure data privacy and data security.
For this article, we will focus on the fourth criterion.
An Expert View on Employee Data Privacy & Security
We recently sat down with Jan Joris Vereijken, chief architect at Crunchr, to talk about data privacy and people analytics. A former chief security architect at ING with a Ph.D. in technical computing science, Dr. Vereijken is at the forefront of this challenging topic. He shared his thoughts on what companies should consider with regard to data privacy and security when scaling people analytics.
1. More than anything, privacy compliance is about awareness, so invest in workforce education
Even with the best technology solutions in place to protect sensitive employee data, privacy breaches still happen due to human error. It is why a two-fold education system is so important. First, there should be broad, company-wide, mandatory training covering the basic "do's and don'ts'' of privacy. Things like:
● don't click on links in email;
● don't send privacy sensitive data via email;
● do report anything suspicious to the Data Protection Officer
This type of awareness training -- which can be a 30-minute presentation once a year -- could be combined with the information security awareness training that is already commonplace.
Secondly, companies should offer deep and focused training on the GDPR requirements and privacy technology for the people whose primary roles involve data handling, including the Data Privacy Officer (DPO), the Chief Information Security Officer (CISO), and key roles in customer service and incident handling. This deep-dive training combines studying course material and one-on-one training on the job.
2. Have a system to ensure sensitive employee data is only made available to the people who should see it
Unauthorized access to data is a common privacy breach. Companies can prevent this by implementing a Role Based Access Control (RBAC) system. This system very precisely defines what access rights a specific "role" has, and which individual has which role. A talent manager may have a role that allows access to all appraisal data, talent data, and succession data of employees across the whole company, but not to salary data, home address data, or absenteeism data.
In contrast, an HR business partner for a specific business unit may have a role that gives full access to all data fields, but only for the employees in that specific business unit, and not for employees in the rest of the company.
Choosing these roles is more difficult than you might expect. They should not be too broad and not too detailed. But do it wisely and you can (and must, according to the GDPR) reach a state where the RBAC system defines very accurately which people can see which data. Together with standard IT means, like passwords and encryption, the RBAC system helps ensure that the rules defined are properly enforced. Note that designing and operating an RBAC system is notoriously difficult and error-prone. Many companies that design in-house people analytics tools go wrong here, and it’s one of the reasons customers choose Crunchr.
3. Choose a people analytics solution wisely
Privacy compliance should be top-of-mind when it comes to choosing a people analytics solution. Here’s what an organization should be looking for:
a) A solution designed from the ground up to comply with the GDPR. You cannot bolt on privacy compliance afterwards;
b) A provider that offers people analytics as their main product, not a company that does people analytics on the side. Without this singular focus, they may miss the finer details of how to make the solution secure;
c) A company that takes security and privacy seriously, as evidenced by a dedicated security team, independent audit and penetration test reports, and good market credentials, including references from large corporate customers in regulated industries such as banks or insurance companies.
To harness the power of people analytics, scaling across the organization is essential. Unfortunately, that also involves privacy compliance risks. While it is not possible to avoid all risk -- data hacks and honest mistakes will happen -- following these recommendations from Dr. Vereijken is the best way to keep compliance high and threats low.