Appearance of security icons and hands tapping on laptop

Resources / Articles / Why GDPR Matters When Buying an Employee Engagement Platform

Why GDPR Matters When Buying an Employee Engagement Platform

Published on February 25, 2020

Roar V. Bovim
Roar V. Bovim
CEO & Founder @Livingroom

In May 2018, the European Union introduced the General Data Protection Regulation. GDPR is designed to protect individual privacy and give data subjects more control over how their personal data is collected and processed. Under the regulation, companies have to adhere to new strict standards of security, transparency, and accountability when dealing with personal data of EU citizens.

Handling personal data on a daily basis, HR is heavily affected by this new regulation. For HR personnel, it’s crucial to understand what the implications of GDPR are and how it affects the internal employee processes. In particular, HR should ensure that their HR tech platforms are GDPR compliant.

If you plan to buy an Employee Engagement Platform, it’s not enough that the vendor claims to be compliant. The provider should thoroughly document their continual commitment to GDPR including personal data reporting, employee training, risk assessments, and security policies.

But why exactly is it so important to ensure that Employee Engagement Platform providers are GDPR compliant and adhere to the new rules?

1. Employee Engagement Platforms Handle a Large Number of Employee Data

According to the regulation, companies are required to protect their employees’ data. If data is passed on to a third-party, such as an employee engagement vendor, both parties will be responsible for handling the data safely. Collecting surveys and processing a large number of employee data, the employee engagement provider is obligated to follow strict regulatory standards. This means that not only the company but also the platform provider takes measures to protect the employee data and to demonstrate compliance. 

Thus, before investing in an engagement platform with access to a vast amount of your employee data, you want to make sure that the provider follows the same GDPR standards as yourself and takes the necessary steps to protect and secure the data. 

2. The Data Collected by Engagement Platforms Makes Employees Vulnerable

While handling plenty of data, engagement platforms also process personal data that could expose the employees and make them vulnerable. Besides the personal information present in most HR systems, such as the name, email address, gender, nationality, education, or position of the employee, engagement software access  survey results, including their daily moods, feelings regarding their job and the relationship with their co-workers or boss. In most cases, there are also other demographics, not already stored by the company’s HR system, that are collected to process surveys and analyze results. 

What if an employee’s opinion on his/her boss got disclosed to the entire company? Imagine what consequences the employee would have to bear. 

Due to this vulnerability they are exposed to by sharing personal data, employees should be fully aware of the risks brought by disclosing their information and therefore, according to the GDPR, engagement platform providers should be transparent regarding the uses of the employee data.

3. Cyber-Attacks Are Frequent

According to the Hiscox Cyber Readiness Report 2019, cyber-attacks are more and more frequent. Among the companies surveyed, 61% have experienced a cyber-attack in the past year, compared to 45% in 2018. Furthermore, 74% of the companies assessed were ill-prepared to deal with an attack. 

GDPR seeks to ensure that such security breaches are minimized. Therefore, companies are required to assess the risks of attacks and implement extensive controls and information security policies. These procedures should be followed thoroughly by engagement software providers. 

Think about what would happen if the personal data of the employees was stolen, how it would affect them and how it would affect the company they work for? What if the engagement results of the entire company get leaked?

4. The Company's Reputation and Employer Brand Are at Risk

With retention and recruitment issues on the rise, companies nowadays need to develop a strong employer brand and take good care of the employees. Their data is an important part of this process. As a controller, the company is responsible for the personal data of its employees and therefore engagement platforms should be chosen with great care. 

If the platform vendor doesn’t have required controls and policies in place, chances are high that, in the event of a data breach, the employee data will be stolen. This would not only affect your employees but also the reputation of your company and there could be long-term consequences for your company's ability to attract talent. As one of the motivations behind using engagement platforms is to alleviate turnover, it is important to make sure that using such a platform will not lead to the opposite result.

5. Ensuring GDPR Compliance Is Required by Law

As controllers of their employees’ data, companies are required by GDPR to ensure that all their processors are also compliant and follow the same strict data security standards as they do. This means that if, upon an audit, it is revealed that the employee engagement platform is not complying to GDPR, the company that makes use of its services is also accountable. The fines for violating the regulation are up to €20 million or 4% of the annual worldwide revenue of the preceding financial year, whichever is greater.

While it is important to understand how employee engagement platforms are linked to GDPR and why the provider’s compliance should be checked upon, another question might have risen by now: how can you ensure that engagement platforms are adhering to the regulation?

GDPR requires any company that handles personal data to establish the following procedures, which should be clearly explained in the privacy policy or the data processing agreement of the engagement platform provider:

  • Training its employees and raising their awareness about GDPR and their roles in data protection;
  • Understanding and analyzing the personal data they process;
  • Creating a privacy policy that is transparent with regards to the data collected, the purpose for collecting it, and the parties with which it is shared;
  • Ensuring the rights of the data subjects to modify or delete their data are fulfilled;
  • Assessing subcontractor compliance;
  • Assessing the impact and risks of data breaches;
  • Establishing procedures in case of a data breach;
  • Putting data controls into place as well as information security policies

To sum up, checking upon GDPR compliance is definitely something that should be considered when buying an engagement platform and failing to do so can have serious consequences both for the employees and for the future performance of the company. Therefore, HR managers should carefully examine whether the procedures listed above are implemented by the provider. 

Want to read more articles like this? Join the Livingroom Newsletter

Learn About Livingroom Analytics and Our Commitment to GDPR

Livingroom Analytics is the new, groundbreaking platform for measuring and improving employee experience. Every company faces the challenge of building a workplace where people feel engaged and perform well. Livingroom helps managers identify people challenges as well as deliver the right tailored actions for improvement.

At Livingroom Analytics we are working hard to ensure that we are living up to our responsibility as a data processor. Read about our continual commitment to GDPR and data security here.