With all of the hype surrounding next month's GDPR compliance deadline, many people I speak with are comparing it to Y2K and the suggestion that it is the single biggest change to software in general – but also the one with the greatest degree of ambiguity in regard to its implementation. ‘At least we all knew we were going to end up living in caves after Y2K’, a colleague recently told me. ‘What’s going to happen to us after the May 25th Deadline?’
Depending on what you read, companies are truly not prepared for GDPR, with research suggesting that anything from 54% of companies are not yet compliant to only 12% of those who claim to be compliant actually are. What is consistent is how our industry, supporting larger organisations with their competency assessment initiatives appears to be one of the latecomers to the GDPR-world.
While there are plenty of online resources available that help explain the GDPR minefield, I want to outline what specifically this means for an organisation's 360-degree competency assessment process in clear and jargon-free language, and in doing so, help to outline how we are supporting this requirement.
Firstly, what is GDPR?
In a nutshell, it is a better, more secure and practical way of enforcing the management of peoples' data within the boundaries of the European Union – and frankly, something long overdue in my opinion. One of the many important changes with the introduction of GDPR is the obligation for companies outside of the EU to be compliant if they collect or manage data for users within the EU. In other words, if you have clients in the EU, you are affected by this.
GDPR hands the rights of data ownership back to the people. In doing so, it makes it easier for those people to know about and act upon their personal data.
So how does this effect a 360-degree assessment process?
Well, firstly, all users (job-holders AND raters) involved in an assessment process will be required to give their permission to the collection and management of their personal information. In most cases, this ‘personal data’ will be the user's name, email address, organisational structure data, IP address if collected, and essentially any other easily identifiable information. If a user is invited to a survey, they will need to ‘agree’ to an easy-to-understand consent page that explains what we are doing with the data, how we are storing it, who will see it, and so on.
Once inside our platform, the user will also have easy access to privacy statements that reiterate this information in clear and simple English. Users can also request to access, view or update their personal information and this means we must send them all personal information contained in our platform for their review.
If the user wishes to have this data removed (known as the right to be forgotten), we must permanently remove their personal information from our systems.
In doing so, this does NOT impact on the privacy and confidentiality of other rater groups in a survey. As many of our reports are online and interactive, allowing job-holders to constantly return and review their reports, removing for example, 1 peer from a group of 3 peers, could theoretically break the minimum rater threshold for the peer category and would allow the job holder to see the score differences and as such, potentially reduce or remove confidentiality amongst raters.
With GDPR however, while we remove the personal information associated to a peer, we leave the individual competency and statement scores as ‘anonymised data’, so the integrity of the report is maintained.
Again after a certain amount of time has passed, the job-holder is asked to reaffirm their consent for us to maintain their data. We expect this to be at least an annual process. Raters will not be required to provide ongoing consent and their personal data will be automatically removed and their scores anonymised fully.
What this means in practical terms is that assuming all invited job-holders and raters consent, a job-holder will have a report outlining their scores and who within each rater category has responded. However 12 months from now, the same job-holder will still have a report but will not be able to identify who has responded.
Finally, we must demonstrate that data stored by our platforms is secure and properly maintained in the right jurisdictions. Encryption of data, proper information security policies and regular audit of these policies, along with full disclosure and reporting of any data breaches are all part of the post-GDPR world, and while this is nothing new to us, it is definitely proving to be a challenge elsewhere.
What has been a surprise to me personally is the number of global organisations that have only recently sought information or assurance on our GDPR compliance, leaving me to believe that while the ‘big-ticket’ GDPR compliance programs might be well underway and properly resourced in these organisations, smaller, less visible and potentially less supported initiatives such as employee competency assessment, may yet prove to be the weak link.
Migrating to the Profiling Online platform can take as little as a few days, and so if GDPR compliance in your competency assessment process is not something you have thought about, get in touch with us today.
Users must give consent when entering our platform.
Users should have access to easy-to-understand privacy statements that outline what we are doing with their data, who sees it, how it is managed and stored, etc.
Users have the right to access and update any personal information stored by us.
Survey participants will be asked to update their consent on an annual basis.
Data must be properly stored and protected by us and any security breaches must be reported.
Users can request that their personal data is permanently removed from our platform.