James Holdstock: The GDPR the Bad and the Ugly

“We don’t like their sound, and guitar music is on the way out.” Said Decca recording company when they declined to sign the Beatles in 1962. “There’s no chance that the iPhone is going to get any significant market share. No chance.” Said Steve Ballmer, Microsoft CEO in 2007.  What were your predictions about GDPR before May 2018? Most were pessimistic or confused at best. It was a scary mountain to climb.

Why do we need data protection anyway?

Everything has become systemised. Where we had paper-trails we now have email-chains. Where we had annual leave quotas, dates and reminders we now have databases. This technology has been created and bought hand over fist because, for the large part, it made things quicker. More calculations can be done, more timesheets processed, more revenue-producing work, less paperwork.

Data started to be collected

Data was collected to facilitate the original purpose. At one point in my career I was loading ‘annual leave quotas’ and ‘leave taken’ onto a human resource management system (HRIS), it had previously been logged on paper but the technology had been brought in to the company so that the employee did not book too much holiday and go over their quota.

That may have been the original purpose of storing that data but enterprising minds thought what else they could do with it to create value. This information for a team, helps us prevent potential clashes where people want holiday at the same time. We can see where employees haven’t taken their leave. We can avoid them booking a big long Christmas holiday off when actually we need more staff to meet our targets. Or avoid employee losing leave, getting upset and going to another company that actually manages their leave quotas better to the benefit of the business and the employee?

Meanwhile, people with a bit of business acumen, realised that certain data can expose other things… Annual leave patterns may sync with school holiday periods, does this mean that this person has children? The short answer to this is almost always yes, because if you’ve ever tried to book a holiday during the school holidays you will know they are exorbitantly more expensive. Businesses will pay a pretty penny for data that identifies what sort of products people will spend their money on and you may know that if you have children there are definitely things you need.

There are also things that you probably don’t need but if someone offers them to you at the right time you may be susceptible to buying. I’m talking about a product that will ‘help your baby sleep’ and is essentially a rolled-up blanket, but for the fair price of £120, rather than rolling up a blanket which if you don’t have already, no doubt can be achieved for less than £20. If you make that offer to a person on the street they would laugh in your face, 99 times out of 100. However, when you hit that hundredth person and they are sleep deprived so much that they are unable to roll a blanket, they will give you £120, in an attempt to get back some semblance of sanity.

As a business person selling ‘pricey blankets’ it is going to be much more cost effective to pay someone who has identified their target market and sell to them. Suddenly we realise how valuable data is. What is to stop any person that gathers data about me from collating and selling it? Not just to sell goods but to influence my vote or identify when I’m on holiday. There is always the small print that will tell you that your data is being sold on mercilessly, but who reads that? There is the 1998 Data Protection Act, which is not dissimilar to the new GDPR approach, but no one listened to it.

So, something was needed to protect our data and its misuse.

But was GDPR the right thing?

The GDPR is designed to protect data, restrict data and create more deletion rights. How could that possibly be good for People Analytics teams and their respective HR departments?

Well, you are right to worry that the GDPR means the potential of losing data. If you think that it gives individuals the right to bin whatever personal data you hold on them as they watch you crying into the empty data pool, you’d at least only be half right.

Yes, the GDPR has a few additions to the Data Protection Act of 1998 such as what ‘Personal data’ encompasses, extending to any identifier (even an IP address). A few other items that are new or have changed are;

The right to be informed.

The right of access and rectification.

Right to erasure – Shouldn’t we ‘give a little respect’ and not treat our data subjects like a ‘ship of fools’? This maybe a little scary, but if we can get that trust then maybe they will ‘Take a Chance’ on us.

Right to Restrict Processing – As an analyst this is perhaps a little more scary. Individuals have the right to ‘block’ or suppress processing of personal data.

They have WHAT?!?

For those of us that do this because we want our business to succeed and believe it is wholly related to the performance, productivity, creativity, engagement and wellbeing of our employees or data subjects, there’s not just a new hope, there’s a very clear path.

I have just sat down with my morning coffee and an email request pops up.

‘I need you to run a report on how many leavers there have been from my team. Can I get this today?’

This fits into the UV category (Urgent and Vague). A thousand questions run through my head, Internal or external leavers? Voluntary or retirees? Which roles? Is cost a factor? Last month? Last Year?? Last ten years? All questions that could be answered quite simply by the magic question.

‘What is the purpose of your request.’

In other words, what business issue do you have? What prompted you to ask this? Is retention poor? What aspect of business performance are you trying to improve?

If an analyst knows their dataset, then they need only a purpose or goal

This is where the GDPR comes in. At all stages in the GDPR it refers to the ‘Purpose’ of collecting the data. You have to tell the data subject what that purpose is. It can be beneficial to a company for two reasons:

It’s beneficial for the employee (e.g reporting sickness absence to advise employees of pathways to aid their health or monitoring the take up and attendance of training courses to assess whether they are being released from their workloads to develop. It’s beneficial for the company (e.g If my company goes bust, guess what, I don’t have a job.)

This insistence of the GDPR to state the purpose of the analysis is just the stick that we have been waiting for, to help with our requirements gathering and actually improve the quality and outputs of our analysis to help the above two aspects.

Of course this will only work If we communicate with our data subjects, follow a good scientific analytical method and last of all, do not have nefarious aims.





James is currently supporting HR projects at Drax Group, an energy supplier focusing on a zero carbon future. He has worked in People Analytics in Insurance at Domestic & General and at Transport for London (TfL) for five years as well as freelance work. With the current landscape being so changeable, he sees himself as a problem solver for the business with a specialism in people, analysis and data. He has worked to highlight the usefulness of data to HR professionals and the business by identifying and proposing solutions for people issues that affect the employees and the business.

With experience in spreadsheets and databases he learnt the HR processes in an administrative position putting him in a perfect position to be an HR Analyst. He is a firm believer in the internal parts of the business communicating to work together. He has now taken that experience to Drax Group where he is focusing on pulling data from all sources to get insight that will improve the employee experience and ultimately the business outcomes.