What impact will the GDPR have on planning?
The new rules regarding privacy legislation.
The General Data Protection Regulation (GDPR) will come into being on 25 May 2018. The GDPR defines regulations for the protection of personal data throughout the European Union. This will impact on every service provider who facilitates the planning of projects and resources and therefore makes use of personal data. In this blog post we will look at the effect this new legislation will have on the planning of your employees and what needs to be done as a service provider.
What does the GDPR do?
Due to an increasingly digital world, most of our personal data is registered in an online system somewhere. For example, Google, Facebook, or in the payroll system of an employer. This may include an email address, a mobile phone number, a residential address, or any other data with which the identity of a person can be traced.
Everyone will have control over their own personal data.
Personal data is used in many different ways. It can be used for commercial purposes, but also for the day-to-day activities of a company, such as the planning of employees with regard to projects. The new privacy legislation will now mean that the GDPR gives every person control over their own stored personal data. It gives them the right to view their personal data, have it amended, or have it erased. Any piece of data that can be used to identify an individual is considered to be the property of that person.
The GDPR describes three parties: the data subject, the data controller and the data processor. For example, the data subject is an employee (on the payroll or as a freelancer), the employer is then the data controller. If one uses a team planner such as Timewax, then the supplier of the system is the data processor.
Figure 1: Data subject, data controller and data processor
How does this effect planning?
When it comes to planning projects, service providers are required to use the personal data of employees. Their names are indicated in the projects and their address details are used to optimize commuting and their email addresses are used in order to communicate about planning. Because of the hierarchical relationship that exists between the employer and the employee, this data may be used without explicit consent.
When it comes to ex-employees, the situation becomes a little murkier. The service provider may no longer use and store ex-employees’ personal data in the planning process, other than for the intention for which it was originally obtained. In addition, former employees have the right to view their details, to have them modified or expunged. Removing data from the planning system can lead to particularly unpleasant consequences when it comes to historical analysis of staff utilization and project performance.
You have the option to anonymize your data
Fortunately, the GDPR rules take the above factors into account. The ‘forgetting’ of a former employee does not necessarily have to mean the deletion of data. The ex-employee may also be anonymized in the system. This means, for example, that you can change the name of the former employee in such a way that the employee can no longer be traced. You would do this with all their relevant personal data. This enables you to still have access to historical data.
What you need to do as a service provider
It is important to set up a process to deal with requests from private individuals in terms of their personal data. As a company, you are obliged to respond to these requests within thirty days. You also need to develop a policy for the handling of the storage of personal data as well as the time period that the data will be stored. The GDPR states that companies must proactively delete personal data that they no longer need.
It is well-advised to keep a register for requests
In the United Kingdom, the Information Commissioner’s Office will check whether companies adhere to the new regulations. If a data subject submits a complaint to the Information Commissioner’s Office because, for example, a data controller refuses to amend their personal data, the Information Commissioner’s Office may decide to audit the company. They will then determine whether you have taken the necessary organizational and technical measures as legally defined. In that case it is favourable if you can show them practical matters, such as the register for requests that you have kept.
If the privacy regulations have been contravened, the Information Commissioner’s Office may impose a fine. The amount of the fine depends on a number of factors. For example, the nature, size, duration – and the impact on those involved. They will also take into account whether the offender has acted intentionally or negligently.
Every service provider that plans projects and resources is affected by the new GDPR legislation because they use personal data. As a company you are therefore obliged to deal with personal data in a new and different way. You will need to formulate a policy in this regard. If an ex-employee approaches you with a request, you must deal with it meticulously and respond within thirty days. It is also well-advised to keep a register of all requests.
Questions or comments regarding this blog? Contact Timewax.
Mark de Jong
Mark is the director at Timewax. He has a background as a project and resource manager with PricewaterhouseCoopers Management Consultants with expertise in the field of Professional Service Automation (PSA)