Many Indian companies, however, did not see the need to change their data collection and processing practices. Till now. With the Personal Data Protection Bill expected to be passed by Parliament soon, Indian companies will have to design and implement a host of controls and procedures around how they handle personal data—not just of their customers, but also of their employees. In all of this, HR, the custodian of policies and culture, will have a significant role to play.
I remember a time when we travelled by train and the primary pastime was savoring the delights that had been painstakingly packed or giving roaring business to local vendors as the train pulled into different stations. The second pastime was getting acquainted with fellow passengers. It was not uncommon to ask personal questions—regarding caste, family or even salary.
But in the second decade of the 21st century, when our data has gone to all corners of cyberspace, this is no longer acceptable to a growing number of people, and there is a pressing need for guard rails to be put in place. There needs to be a shift in the culture of organizations to place the sanctity of personal data of the employee at the centre, and HR is perfectly placed not only to manage the data of its key customer, the employee, but also to create an ethos of data privacy.
Of course, you need the C-Suite to champion this—invest in appropriate technology systems that enable the right data processing practices and speak about it at all available forums. The culture that reinforces the sanctity of personal data can only come when it is extensively spoken about and championed by leaders at all levels.
How will employee data be collected, stored, analysed and destroyed? How will these processes be communicated to the employee? What protocols are required when sending employee data outside the organization, or even abroad?
From the time of on-boarding, employees will need to know the data privacy processes the organization follows. Employees will have to be empowered to protect themselves, and will have to know their rights—right to know what information the company has about them, the right to correct that data, and the right to be forgotten.
Employees who manage the data of clients, fellow employees or partner organizations will need to be aware of and trained on their obligation to protect data zealously. A small error on the part of the employee can ring the death knell of an organization, especially in an era when companies have faced huge fines and government attention over data breaches. Grievance, breach and redressal mechanisms will need HR attention.
A number of issues will need to be addressed, from collecting information that is strictly job related during recruitment to using secure portals to receive data and gaining consent for processing data and keeping the required disclaimers in place. Today, with technology that allows for self-service on-boarding platforms, it will be important at all stages to receive consent and have a helpline in case employees seek clarifications.
Videos that disseminate the whats, whys and hows of data privacy in the organization will empower employees and allow them to make informed choices. Employment contracts, non-disclosure agreements and policies will need clear messaging. When employees exit the organization, there should be a system for how long that data is stored, and a system for employees to access and download their data.
Of course, there will be high-risk exits, and there will be cases where sensitive information will need to be retained or may not be shared with the employee. Those will require careful monitoring from HR and a clear strategy. HR must also remember the proposed law may have a “right to be forgotten", where individuals can insist that companies remove their data that is no longer needed.
Data audits will be vital: what information about the employees does the organization have? Why has it been collected? How much of it is needed? What will you use it for? Would you give it to third parties? What kind of controls will you impose on those third parties? How will you ensure they destroy the data once it is no longer needed? For example, in the case of common benefits like health insurance, who collects health data from employees?
Is it the company, or is it directly collected by the insurer? What are the controls and protocols followed by the insurer to protect that data?
Ethics take centre stage
HR maintains and handles sensitive data of employees on a large scale, whether it is potential or current employees, and it ranges from data on health and sexual orientation, marital status and family members to salaries and performance appraisals.
The culture should be such that they feel responsible to protect data, and have the right tools and processes to help them do so.
A case for business ethics comes alive. Organizations will now require a multidisciplinary task force that comprises legal expertise, data protection officers and HR, who will check compliance and be the point of contact for the government or other bodies. Also, the team in HR that manages analytics will need strong training to be up to date with the relevant laws.
Of course, we are yet to know the details of the Act, and what parts will apply to organizations as employers and as service providers. Having said that, these are exciting times and an opportunity for HR to take the lead and to transform their organizations.
Hema Ravichandar is a strategic human resources consultant. She serves as an independent director and advisory board member for several organizations