GDPR: Are there benefits beyond compliance?

As the deadline nears for GDPR implementation, Stephen Edwards of Interel chaired a panel at the Worldwide ERC's London Summit to unpick complexities and reduce the fear factor. Ruth Holmes reports.

Infographic for GDPR
The new General Data Protection Regulation (GDPR) is set to go live on 25 May. Intended to protect individuals’ personal information with a unified set of regulations across the EU, the wide-ranging GDPR seeks to align data legislation more closely with the fast-evolving digital landscape.EU-based organisations of all sizes that collect or process the personal data of EU citizens will need to look at how they – and their partners – source, store, manage, use and protect sensitive and personal data ahead of the implementation date.GDPR will also apply to organisations outside of the EU that offer services to, or monitor, the behaviour of EU citizens, including those providing cloud services, call centre and payroll services.

How is global mobility, immigration and HR affected by the GDPR?

Mobility and supporting services like immigration, tax, relocation management companies (RMCs) and destination services providers (DSPs) are therefore squarely on the frontline of the GDPR’s introduction.Global mobility professionals, internal and external business partners and vendors routinely request or use exactly the type of personal and sensitive information that falls within the GDPR’s remit. This includes health, family, marital status and biometric information, as well as identifiers such as IP addresses and cookies for services delivered online. The new GDPR legislation is therefore highly relevant to mobility and the stakes are high, with significant penalties for transgressions. Failure to comply with GDPR could attract a fine of four per cent of global turnover, compensation claims, plus hard-to-repair damage to reputation and trust. 

Will organisations benefit from GDPR’s implementation?

To support the global mobility community get GDPR right, the Worldwide Employee Relocation Council (WERC) hosted a panel discussion at its annual London Summit last week.Chaired by global public affairs firm Interel’s Stephen Edwards, the panel comprised Carole Crossley, Clients and Markets Global Leader at Deloitte’s global employer services, and Mustafa Bharmal, Director of Global Mobility Services – Regions & Project Assignment Mobility, who talked through their GDPR experiences to date and shared insights. The overall message was positive, and that GDPR, while seeming both ominous and onerous, could actually bring with it benefits for efficiency and employee experience.
Related stories:

GDPR: what is the current state of play?

A recent study of 1,000 companies globally by research agency Coleman Parkes in association with DDI services vendor EfficientIP, suggests that around three-quarters of UK companies are ready for GDPR – the highest figure for EU countries.Similarly, 84% of US companies are confident of their GDPR readiness with 100 days to go to implementation.This figure corresponds broadly with Carole Crossley’s experience. She told delegates she is seeing a whole range of companies at different points of preparedness. “The first of January seemed to be a defining point for many companies to jump into action,” she said. “I can tell where people are with GDPR from the type of questions they ask. For some, it’s ‘where do we store our data?’ Others are down in the weeds of GDPR and how it relates to them. They are asking, for example, what they should be doing with data saved from test environments.”

How have global companies approached GDPR implementation?

Among the companies perhaps likely to put themselves in the majority and already in the detail of what GDPR means for them is global conglomerate, Honeywell.“We are quite strong on data privacy. What GDPR changes have done I think is got people to rethink and basically check their baselines,” said Mustafa Bharmal, on the impact of the deadline.“That's kind of been the appoach coming down from HR leadership: getting a GDPR champion in each of the sub-functions and rallying the troops."Then it's really coming back to basics and looking at everything; what employee data we handle, how it is collected and all the different ways, eg email, even over the phone, vendor platforms, then focus on the sensitive data and what this is, and really adopt some rigour around this, for example is this really needed for that particular task."We use a lot of vendors and then its making sure our partners have the same approach.” 

Dealing with data in GDPR

With the recommendations from the Information Commissioner’s Office (ICO) on GDPR still evolving, the panel went on to talk about the challenges of implementation.“Ordinary personal data can be treated differently to sensitive personal data,” explained Carole Crossley. "So for example, if I think of a couple of examples for sensitive personal data, for people involved in immigration, it's common to get health data. For those categories of highly sensitive personal data, it's really important to look at how and why you are holding that."Carole Crossley also highlighted how certain information can become sensitive depending on the context, particularly for immigration. Gender, and how people categorise themselves, and marital status data, for example around same-sex unions, the nature of that data "could take on a different cast" depending on context and location, and require a new level of sensitivity. "The key thing is the justification for having that information and that you have the appropriate measures to protect it," said Mustafa Bharmal.Managing the nuances around this clearly requires a robust framework and an understanding of sensitive personal information is held. Part of this is ensuring "privacy by design" in reports and online form fields, noted Carole Crossley. For some companies, this also means introducing multi-factor authentification processes."You have technology control you can add in, then you have process control, too. It's looking at it through both" said Ms Crossley.“Another thing really is looking at standardisation of how you collect data. You collect it in lots of different forms. What we’ve tried to do is be more predictable in how we manage and distribute data," said Mustafa Bharmal."We've tried to create a single mechanism through which our assignees are initiated and tracked. Honeywell is a big conglomerate, but for business reasons, we should try to have a singular method to initiating and monitoring assignments."

Making GDPR work

Interestingly, panel members felt the 25 May could present an opportunity. By looking again at the information routinely captured and the infrastructure around data capture, GDPR could be used to improve data analytics and internal ecosystems, especially around leveraging the predictive capabilities of data.“Data is power. Not only does it mitigate against risk and limits it, it also offers insights,” added Carole Crossley. “You have a line of sight into data. Our clients are spending less time on spreadsheets and are making better decisions.”

GDPR, data analysis and service improvements

At Honeywell, approaching data in a more robust way benefits the company on three levels. First, from the compliance aspect. “It allows us to keep up with what governments expect us to be doing. If you think abut business travellers, it also allows us to interrogate expenses and travel, and be on top of what is going on and already a requirement,” said Mustafa Bharmal.”Second, we have streamlined processes, for example to make cost modelling more accurate, and require less reworking so people get faster approvals.“Third, it fits with our users’ experience – this is essential today. Individuals are juggling different data sources. What we've tried to look at is how we can help HR and employees moving be better enabled to see their status, initiate things and carry out tasks in real time. Obviously, the downside of that is making sure we are compliant for GDPR."

Top tips for robust GDPR compliance

An interesting perspective offered by the audience – perhaps highlighting the appetite for change – is whether GDPR offers the chance for in-house experts to drawn in and work more closely with suppliers to leverage data, for example, by sharing digital handshakes while limiting data leakage through emails and spreadsheets.Carole Crossley whole-heartedly agreed with this sentiment. “Definitely – data integration is massive. Even if it's just to reduce the human error element, collaboration between vendors and clients across company boundaries is going to be massive. We are in a different world now. The collaborative vendor ecosystem is really coming into play. GDPR is driving a lot of this and user experience, but privacy is definitely a strand of this.”Delegates were also able to share their good practice around GDPR, including policies around Skype document uploads, and good document design to limit the amount of free-text space and therefore inadvertent sensitive personal data sharing.With the GDPR deadline fast approaching, it is clear that doing nothing is not an option. Yet as the speakers and audience showed, doing something for GDPR can also bring benefits beyond compliance.
Relocate Magazine Winter 2017 front cover
Read more about the future workplace and talent in the Winter issue of our magazine
For related news and features, visit our Mobility Industry section. Entries are now open for 2018’s Relocate Awards. Relocate’s new Global Mobility Toolkit provides free information, practical advice and support for HR, global mobility managers and global teams operating overseas.Access hundreds of global services and suppliers in our Online DirectoryClick to get to the Relocate Global Online Directory