Data protection in people analytics projects
// by Patryk Niemyt
People & Culture, People Analytics
Data protection in people analytics projects - most project managers ask themselves a lot of questions. The complexity lies in the interaction of very different disciplines. Technical infrastructure, processing procedures, the German Data Protection Act (DSGVO), the Federal Data Protection Act (BDSG) and company agreements must be communicated with the stakeholders of the disciplines involved in order to create a common, decision-making picture and thus enable the technical implementation of people analytics systems.
The experts at noventum explain the interrelationships and provide guidelines and procedural models with the solution "Data protection in HR analytics projects", which support project managers during implementation and operation.
People analytics and data protection go together
A separate consideration of people analytics and data protection is not possible, since, for example, in digital personnel management, numerous personal data are processed during data analysis in HR analytics systems. Due to the analysis of HR data in People Analytics, the processing affects, among other things, personal data according to Article 4 (1) of the GDPR or information about employees in the sense of employee data according to Section 26 of the German Federal Data Protection Act (BDSG). This may also include personal data of special categories according to Art. 9 DS-GVO. This type of personal data is subject to special protection under the EU General Data Protection Regulation (GDPR), which means that the implementation of data protection requirements may not be excluded. For this reason, the interplay between data-based analysis in People Analytics and data protection is of great importance and at the same time offers an assurance of protection for the personal data of all kinds to be digitally processed.
The challenges of a people analytics project for companies and project managers
In project situations, the implementation of data protection requirements can be overburdened by the high technical and, above all, organisational complexity. During the project, the project managers on the client's side are confronted with a multitude of concrete questions regarding the processing of personal data by the project participants in accordance with data protection law.
- Which company agreements must be concluded in the company?
- Which stakeholders need to be involved?
- Which reports are subject to co-determination?
- Which analyses of personal data may be evaluated and how, and what should be avoided?
- How do I set up an efficient data-based tool that does not fail due to the requirements of the General Data Protection Regulation?
- What must be documented and how?
- Who is responsible for which decisions and what information is needed?
Experience shows that the challenge here is to manage the complexity of the interplay between the technology, the professional objectives and the preservation of data protection alone. In connection with the technical solution, there is a lack of knowledge about where mandatory measures are required. Furthermore, it is often not known which established procedures have to be carried out through internal coordination and which data protection requirements and obligations have to be implemented.
The solution strategy
The listed problem contains the basic idea of the objective to ensure compliance with the requirements of the GDPR in the context of data analyses in a people analytics solution and at the same time to achieve an awareness of data protection. The solution strategy amounts to bringing together and considering the interests of all stakeholders of the company involved in the overall solution. In doing so, due diligence in the processing of any kind of personal data is pursued. The data protection-relevant aspects for respective processing operations are taken into account. In addition, appropriate documentation of the processes and the relevant information is set up. In addition, care is taken to ensure that the requirements of all stakeholders in the company, such as HR, IT or employee representatives, are met. Data protection requirements are implemented through appropriate technical and organisational measures (TOM). The sensible chronological sequence results from a standardised procedure model that guides the project manager in managing the various specialist disciplines.
The consulting service "Data protection in people analytics projects" supports project managers and their employees with procedural models and documentation to ensure that technical measures are implemented in compliance with data protection law. The process models, documents and instructions provided provide information and support in clarifying questions, raising awareness and implementing data protection requirements at both the technical and organisational level in the project business. The focus is on access and authorisation concepts as well as internal coordination between the stakeholders involved in the form of decision-makers, employee representatives and specialist departments.
The offer does not constitute legal advice, but is rather to be understood as support for comprehensive and effective project management.
The noventum offer supports noventum projects as an optional project module and provides orientation aids for the customer in the project business in order to bring about the most important technical and organisational decisions. The process model provided as well as the project recommendations provide an overview of the necessary measures, agreements and documents. The first steps are an inventory (as-is status) of the measures already implemented in the company. Based on this, suitable TOMs are developed, which serve as documentation during project implementation and in the subsequent maintenance relationship.
The developed TOMs include, among other things, appropriate authorisation management for internal employees and external processors of personal data according to the need-to-know principle. The need-to-know principle pursues the security goal of the necessity of data access and the resulting possible data analyses. It must be taken into account that the parties involved may only process the data that are necessary for the immediate fulfilment of the attributed task. Otherwise, there is no authorised access to the data. This also includes, among other things
- the access and access controls,
- the admission controls and
- where applicable, the disclosure and input controls from Article 32 (1) sentence 2 of the GDPR.
The elaborated and structured processes as well as the documentation templates provided support the companies in the implementation of the project. The optional consulting services include further recommendations for optimising internal documentation, such as an emergency plan in the event of a suspected breach of personal data, the obligation of employees to comply with data protection principles in accordance with Article 5 of the GDPR or the inclusion of a new processing activity in the list of processing activities in accordance with Article 30 of the GDPR.
The broadly based compilation of recommendations, information and procedural models ensures that the envisaged documentation obligation is complied with in concrete terms in accordance with the GDPR and, in parallel, enables the interaction between people analytics and data protection.
The effectiveness of the procedural models is ensured on the basis of current case law, the recommendations of the supervisory authorities, through the exchange of experience and communication between the client's and noventum's data protection officers. This approach establishes a clear process regarding the appropriate processing of personal data by authorised persons. This process is rounded off by a classification of the authorised group of processors and the creation and documentation of an authorisation concept in which the distribution of rights and roles is clearly structured. The client is supported in an efficient manner and receives a comprehensive overview of his tasks that need to be completed in terms of data protection. In this way, the client gains confidence in the internal processes and, in particular, the internal authorisation management is strengthened. Consequently, the economic interest is strengthened by reducing the probability of high possible sanctions according to Article 83 of the GDPR.
The company agreements drawn up, the committees installed, the type of communication channels, authorisation concepts and operating processes as well as the technical implementation of these form a solid foundation for future adjustments or optimisations. The comprehensive view of all data protection-relevant aspects of a technical HR analytics solution creates trust among all stakeholders and thus in the solution.
In summary, during the implementation of a people analytics software, the optional project module enables a targeted and focused advisory service on data protection in technical HR projects through recommended guidance and further information. The project managers efficiently bring about the necessary coordination and concrete decisions by guiding them through a structured and documented process. In addition, noventum Consulting GmbH has practical experience and combined expert know-how in HR processes, IT processes, IT architectures, data protection and agile project management. The guidance provided supports the clarification of issues as well as the implementation of data protection requirements both on a technical and organisational level in the project business and sensitises the customer to the topic of data protection. The focus is on access and authorisation concepts as well as internal coordination between the stakeholders involved in the form of management decision-makers, employee representatives and specialist departments of the companies.
noventum consulting GmbH