Has GDPR Finally Put a Dagger Through the Heart of HR’s Beloved Spreadsheets?

In the HR corridors, everyone loves to hate their old faithful – the humble, unassuming spreadsheet. So, no, in this blog we will not talk about why spreadsheets were never designed for collaboration in the first place, why they consume valuable HR time in performing checks and verifications and why it is becoming increasingly difficult to extract business intelligence especially concerning remuneraton and performance management from spreadsheets. 

What we will talk about in this blog, though, is why continuing to use spreadsheets in your HR processes might actually cost you more than you think.

GD what?

Enter GDPR. Remember that frenzy of emails you received from almost everyone who had your email address saying they wanted your consent to continue to send you information? That was GDPR in action. General Data Protection Regulation is a new 2018 European Union data protection and privacy law. Without going into the details, GDPR is the European Union’s response to the growing concern people have about their privacy and how organisations, obtain, store, use and share their personal information. This could be anything from their email addresses and phone numbers to credit card and bank account details and any other personally identifiable information.

So?

So GDPR says you cannot use a spreadsheet in HR anymore. We are kidding, of course! But what has indeed changed is that your organisation is much more accountable for the employee data you store, process and share. And if that data is held in the form of spreadsheets, that is a recipe for disaster. Spreadsheets usually have much weaker security as compared to other solutions, can be printed by anyone and people create multiple copies of them that are spread across your business (Heaven forbid, maybe even the internet!). Your company might be held liable for any loss, theft or misuse of this data.

And if that was not enough, GDPR mandates that all data breaches be publicly reported within 72 hours of the incident along with the details of the data compromised and the measures that are being taken. What that means is that your humble, unassuming spreadsheet could be the reason your department and your organisation come under public shame and potentially lose your customers, clients and employees. Wow!

But Didn’t You Say This Was an EU Regulation?

That is the catch – while you may say that your business is based outside the European Union, you must be GDPR compliant if you are dealing with any data involving EU (and the UK) companies, residents or citizens. Regardless of the jurisdiction, companies handing any EU data need to be GDPR compliant. And with most businesses becoming more and more glocal (to steal an ingenious term from Up In The Air), businesses globally are endeavouring to be safe than sorry. Many AUS-NZ businesses have at least some connection with EU and the UK, and you will do yourself a huge favour by thinking ahead instead of looking back later!

I’m from Down Under – We Are Fully Aware of Our Data Privacy Regulations! Meh!

Sure, the GDPR and the Australian privacy act are both steps in the same direction and have a lot of overlap. The overall intent of the two points of legislation are the same.   Currently, within the Australian legislation there is some leniency that is not present in GDPR, however you would be doing yourself a favour to look at GDPR as the eventual future as it has been in place in a slightly different form in the European Union for many years and they have been slowly tightening it up.  Consider the Australian Privacy legislation to do the same thing. For instance, under the Australian privacy law, organisations with less than $3 million in annual turnover do not need to announce their data breaches – which is assuming that smaller organisations are less likely to face cybersecurity threats – something a 2017 report by Council of Better Business Bureau of North America disagrees with If that was not enough, the very definition of ‘serious harm’ is ambiguous in the Australian counterpart of GDPR which could have allowed companies to get by Down Under but won’t be able to do so now with GDPR in effect. Plus, the Australian regulation gives 30 days for an investigation as opposed to 72 hours in the GDPR! That’s stiff, eh! Still think you are ready?

As an HR Manager, What Can I do?

HR is a storehouse of tremendous amounts of employee data – their bank accounts, their health records, insurance, tax details, eligibility details (driver’s licence, passports, visas, work permits), referee contact details, previous employer’s details and of course compensation and performance data. Given the cybersecurity landscape and the GDPR compliance requirements (and just general garden variety ethics as well!), that is a lot of sensitive information to be contained in spreadsheets. HR can take the lead in this transformation and present their case to the business – the spreadsheets need to go and other more secure solutions should be put in their place.  SaaS solutions, built in the cloud with high level security and regular monitoring is a great option.

We could talk about how spreadsheets cannot even hold a candle to the SaaS solutions available today for HR processes like Performance and Remuneration – be it data security, ease of collaboration, ease of decision making, ease of report generation, ease of updating, cost savings and pretty much everything else.

But we will simply say that it is time to accept once and for all for HR’s old friend to take a bow and exit the stage and make way for the cloud!

To learn more about the risks of using spreadsheets to manage complex HR processes and steps in transitioning from spreadsheets to more sophisticated systems,  download the Whitepaper - The Pink Slip for Spreadhsheets in HR’.