While analytics, decision-sciences and AI/ML-led automation have become mainstream technologies for virtually every major corporation today, and the smaller companies being at different stages of adoption ranging from assessment to blueprint to vendor selection or starting up with implementation, the focal point of discussion has shifted – to the ingredient that enables digital transformation; Data.
Factors like competition, changing customer expectations, demand for more personalized digital journeys and market forces are determining the direction and urgency of an organization’s transformation needs. New technologies are often seen as disruptors; and serve as levers to drive innovation.
Ethics as a competitive differentiator for Data Controllers?
One of the most talked about phenomenon is the exponential growth in data – be it structured or unstructured, qualitative (binomial, nominal or ordinal) or quantitative (discrete or continuous) so on and so forth. Organizations have a need to understand their customers and stakeholders better for which they are increasingly seeking insights in to the data available to them. And it is not just the data or its use that will bring in long-term benefits. How ethically the data is being put in to use will also be an important decider. Trust, safety and integrity have become by-words for competitive differentiation – companies realize that these will be the key to long-term value creation.
Consent, confidentiality, privacy and data governance issues are prickly in nature and companies are looking at broader consensus to establish best practices. There is a need to translate ethical principles in to professional behaviors that permeates the length and breadth of an organization. Gartner has picked digital ethics and privacy as a strategic trend for 2019. This, they say is in the wake of Government planning and resolutions that companies must adhere to, and consumers becoming more aware of their rights as well as the value of their personal information. While the organization must gain and maintain trust with the customer, it must also ensure that the customers view them as trustworthy.
UK has become the first country in the world to launch Centre for Data Ethics and Innovation, an advisory body with a bid to strengthen and improve the use of AI and Big Data in the UK. Established by the Government, this is a part of the £1bn programme that provides funding and support to AI and Big Data projects. Brazil, Japan, India, South Korea are all drafting their own laws around data privacy. Silicon Valley will also have the California Consumer Privacy Act.
Transparency = Intention Plus Informed Consent
There has been an improvement across companies in terms of their data-privacy practices, data retention procedures and transparency in the usage of data. However, it is a journey many companies are just on the verge of beginning. Organizations need to build a data privacy culture and align business and organizational goals to reflect the new realities. A top down approach is needed – the leadership needs to be on-board and it is not just limited to hiring Data Protection Officers alone or spending dollars on data protection programs. Organizations must bring in transparency in the way they collect, store, analyze and monetize data. They also need to state clearly the intended use of the collected data, though the jury is still out with respect to the validity and scope of the consent which has been provided. Responsibility for safe data handling also lies with organizations that deal with customer data – today more and more companies are taking up initiatives to educate and inform their customers about the importance of safety while handling their personal data.
In the midst of the GDPR regime, any organization that deals with the EU or data belonging to persons within the EU are also liable to take privacy laws seriously and build around it. It is not just an European phenomenon.
A DPO isn’t enough
In a GDPR Live environment, organizations are looking to operationalize their data privacy strategies and compliance programs and trying to make it the new ‘normal. The International Association of Privacy Professionals which provides training and certifications to professionals and practitioners estimates that the global demand for Data Protection Officers (DPOs) will touch 75,000. “Organizations whose core mandate is to process EU citizens private data on a large scale, or who consistently process highly sensitive data, must appoint a DPO irrespective of their location. The core responsibility of a DPO is to have a solid understanding of the GDPR and acts as a liaison between the authorities and the organization. They are further expected to train employees on individual responsibilities within the ambit of the GDPR, proper data handling practices, being conversant with the changing legal and technological framework and manage the data protection programs.
Clearly, appointing DPOs and being at the top of the game isn’t enough, as scores of breaches bear testimony of.
Building a Data Privacy culture is not only an organization’s responsibility but it also drills down to the individuals.
Recruitment and data privacy
In one of our blog posts we had examined the impact of GDPR in recruitment operations. The growing dependency on data to hire better and quicker is more pronounced than ever before. We argue that the central themes that should drive recruitment operations is to be able to close the gaps and vulnerabilities – current or potential, reduce the risks, define roles and responsibilities with respect to data both inside the organization, involving external stakeholders and templatize the best practices. The dual role (often being Data Controllers & Data Processors simultaneously) played by employers, recruiting teams and service providers makes it challenging. For example the data breach at Zhilian Zhaopi, which was reported in the press in July, 2019 involving 160K personal resumes showed poor data protection compliance and hygiene. The reasons – alleged negligence towards password protection and misplaced legacy hardware. Recently, France’s National Data Protection Commission, CNIL imposed a €50mn on Google LLC for breaking GDPR rules – processing user, customer data around advertising – railroading customers in to sharing information and data through processes that they don’t necessarily understand.
Nurturing a culture of data privacy across people, processes, and technologies
1. People
Recruiters are the first point of contact with potential/candidates and as such are also the ones who have the responsibility of ensuring a higher Candidate Experience (CandE) quotient every single time. Add to this the fact that they are the primary handlers and processors of candidate data. These factors make it extremely critical to incubate data privacy concepts in them. Recruitment service providers need to establish and formalize training and certification programs internally for its recruiters on GDPR compliance. Being a part of this regimen can forestall any mistake/wrong move on the part of a recruiter while handling sensitive candidate data.
2. Processes
Candidates expect their personal data to be safe and to be used for the intended purposes only. For talent acquisition teams, data privacy should be built in to the core of operations. A clearly defined data privacy policy goes a long way to establish the necessary credentials – to define intent, business need, and consent. There is also the need to adopt the necessary safety and security processes that are mandated by the GDPR regime, such as the Subject/Data Access Request and Candidate Self-service pages which enable data subjects to search, view, modify, restrict or delete their information held on record. While working for clients, obtaining of electronic/digital consent of the candidates before processing their resumes is a priority. It fulfills the requirements as laid down in GDPR and the UK Data Protection Act. Candidates also need to have the opportunity to request removal of information and data from the database across platforms and data controllers should have the required mechanisms to address the concerns.
3. Technology
Technology should conform to the data privacy laws the organization and or team falls under; it is important to extend data privacy functionalities on to the technologies, platforms that are being used, across the recruting value-chain – recruitment, pre-boarding, on-boarding, ongoing, separation and off-boarding.
As with other functions which are dependent on data such as Sales, Marketing, Customer Service etc., regulations such as GDPR can help transform the function of talent acquisition by presenting unique opportunities to the teams to create trustworthiness and competitive differentiation in the marketplace.
