Transcription
SUPERCHARGINGHR DATAMANAGEMENTFROM REGULATORY REQUISITESTO STRATEGIC OPPORTUNITY
SUPERCHARGING HR DATA MANAGEMENT30-SECOND SUMMARY:CHAMPIONING THEDATA-DRIVEN FINANCIALSERVICES HUMANRESOURCES FUNCTIONHuman resources (HR) functions in financialservices (FS) organizations have historicallyunder-invested in their data capabilities andinfrastructure. The result? Many of them arenot driving the full value they could from theirvast reservoirs of data. Perhaps even moreimportantly, they are not well prepared forthe ever-stricter data privacy regulationsand growing cyber-security risks they face asstewards of some of the organization’s mostsensitive information.This paper explores the challenges HR facesaround improving data quality, integrationand governance; why data is ultimately apeople and business concern rather than atechnology issue; HR’s role in creating a cybersecure workforce; and how new data privacyregulations are turning data protection into animperative for FS HR functions.
SUPERCHARGING HR DATA MANAGEMENTPREPARING HR FOR ADATA-DRIVEN FUTUREMarketing, sales and otherenterprise functions in FSorganizations understand thatdata drives the digital economy.HR, too, is looking for ways toleverage this valuable resource toenhance business performance,optimize workforce costs, improveemployee engagement throughpersonalization of the workplaceexperience, and unlock the potentialof tomorrow’s adaptive workforce.Some leading FS organizations are alreadyseeing impressive returns on their investmentsin using HR data and advanced people analyticsto drive better decision-making and workforceperformance. For example: Accenture is working with an Asianlife insurance firm that harnessedanalytics insights to reduce attritionamong managers by 50 percent insix months. A global asset management firm—an Accenture client—boosted theproductivity of its operational workforceby 25 percent by benchmarking internaland external productivity, analyzingservice maturity and cost to serve,modelling an improved distribution ofworkload, and identifying productivity-boosting factors.However, data analytics and digital HR platformsare only as good as the data that feeds them,and all too many HR functions in FS have nothistorically treated data quality, ingestion,integration and governance as a priority. Asa result, HR lags other corporate functions inits ability to drive value from data and lacksconfidence in the accuracy and relevance of itsanalytics insights.Much of the data HR collects continues to beused primarily for retrospective, operationalpurposes, or simply remains fallow. Just 8 percentof senior HR leaders believe they are usingHR data in an effective manner that generatesmaterial returns.1Some reasons that HR functions in FSorganizations are not yet getting the optimal valuefrom data and analytics include: HR departments have not investedaggressively enough in their data skills,capabilities and governance structures. HR IT landscapes are often complex dueto a lack of investment, legacy systems,and organic growth without long termstrategic planning. Therefore, data isscattered across fragmented businesssystems and processes. Quality isinconsistent, compatibility is limited,and access is hampered. HR often sees data management as anIT issue rather than a business concernand does not assume sufficientaccountability for its data. Some organizations lack the basics ofdata hygiene—for example, consistentdefinitions of data entities such as afull-time employee versus a contractor orpart-time worker across all countries andbusiness units.As FS HR functions strive to become more datadriven they will encounter significant data qualityand integration challenges in every HR activityand process. Taking accountability for data willempower HR to drive more accurate insights fromanalytics, reduce operational errors and increaseconfidence in its service among employees andthe business.3
SUPERCHARGING HR DATA MANAGEMENTDIGITAL TRUST AND DATA PRIVACYMOVE UP THE AGENDASound data quality, processes, systems, controlsand governance are not only key to releasing thetrapped value in HR data. They are also central inmanaging the reputational and regulatory risksattached to managing personal workforce data ina world where employees, regulators and otherinterested parties have put digital trust and dataprivacy firmly on the agenda.HR manages an array of sensitive data such asemployees’ national identification numbers,social security numbers, bank account details,addresses, salaries, disciplinary histories, andfamily details. A data breach could harm theemployer brand, undermine trust in the HRfunction and its data among employees andbusiness leaders, and open the organization tosanctions from regulators.Three out of four employees say they would nottrust their company again if their information wasleaked.2 What’s more, countries worldwide areenshrining data privacy rights for employees instringent data protection laws and regulationssuch as Europe’s General Data ProtectionRegulation (GDPR).GDPR raises the stakesThe GDPR, which came into effect on 25 May2018, prescribes the data rights of Europeancitizens such as the right to be forgotten and arequirement for unambiguous consent for theirdata to be used. It covers employee and customerdata alike. The GDPR affects all firms, employersand vendors who are based in or operate acrossEurope, or who store or share European citizens’data, regardless of where this data is processed.Those who fail to comply face fines of up tothe greater of 20 million (US 24.5 million) or4 percent of annual worldwide turnover. If acompany does not report the scale and impact ofa data breach within 72 hours, it can be preventedfrom processing personal data under the GDPR,4effectively shutting down the business.The HR function should not regard regulationssuch as the GDPR as a burden, but as a stimulusto grow the strategic value of its data. Accenturesees several opportunities for HR in complyingwith stricter data privacy laws andregulations, including: Raising the quality and value of HRdata, in turn delivering more accurateinsights and fewer operational errors. Reducing the effort of reconcilingand manipulating data. Winning the trust of the C-suite bydemonstrating the material benefits ofusing HR data and analytics for humancapital management. Leveraging analytics to enhance workforceperformance and enable forward-lookinginsights that inform leadershipdecision-making. Building a well-informed, cybersecure workforce, in turn reducingthe risk of a data breach and ensuringthe organization can respondquickly to a breach. Preparing for the future by putting inplace the right protocols andprocesses to support a digital,data-driven business.
SUPERCHARGING HR DATA MANAGEMENTGDPR is just the beginning of a worldwideshift to tighter regulation of how organizationsmanage and protect the personal data theygather. China, for example, has issued thePersonal Information Security Specificationeffective 1 May 2018. This framework,which aims to regulate the use of “personalinformation” by data controllers, is largelyaligned to the strict conceptualizations underthe EU’s GDPR.It is expected that China will introduce a morecomprehensive Personal Information ProtectionLaw within the next two to five years.3 Otherexamples of countries that are tightening“personal data” privacy laws and regulationsinclude New Zealand with its new PrivacyBill4 and South Africa with the Protection ofPersonal Information Act.5The landscape is also changing in the US,where government traditionally allowedthe private sector to lead the way in dataprotection and relied on a combination ofself-regulation and legislation rather thanon government oversight alone. Look atCalifornia, which may place a Consumer Rightto Privacy Act initiative on the November2018 ballot.6 If it passes, it will bring moreonerous data protection regulation to thestate, including stricter disclosure andopt-out requirements.5
SUPERCHARGING HR DATA MANAGEMENTHR organizations that start to adapt today to theright behaviors and that implement the rightsystems and processes for compliance will bebetter prepared for the stricter data protectionlaws and regulations likely to emerge in the future.what purpose they may use it. It needs a clearpicture of which external and internal partiesaccess data via integrations or reports, so that itcan put a stop to unjustifiable third-party use andstorage of data mastered by or sourced from HR.Managing the data lifecycleCompliance is complicated by the fact thatnot all data is equally sensitive. Some types ofdata, like medical details, salary information,and whistleblowing cases need to be managedand secured with tighter controls than others.In addition, regulations differ across countriesregarding the consent organizations needto collect data, how they may use it andhow they should store it. For example, someterritories have laws that restrict the movementof personal data outside the country.To meet the demands and opportunities ofregulations such as the GDPR, HR organizationsneed an approach that covers the acquisition,management, storage, transmission, usage,retention and deletion of information or datafrom employees, job candidates, formeremployees and other stakeholders.HR needs to decide: Which data scattered across itsfragmented systems it should retain; For which purposes it can reasonablyand legitimately use this data; and Which steps it needs to take to complywith data protection regulations aswell as to inspire confidence among itsemployees and in the wider business.Under the GDPR, an organization will be heldresponsible for a data breach or leak whether thefault lies with its own systems and employeesor with those of a third-party supplier. HRfunctions should ensure that any vendor—beit a training company, third-party recruitmentfirm or a cloud software provider—that willprocess their candidate or employee data meetsthe stringent requirements of the GDPR. Theyshould also ensure that everyone who accessesthis data has a business need to do so.This may demand a mindset and cultural change,since HR functions and HR IT departments in FShave often taken a relaxed approach to sharingdata, reports and integration with other partsof the business. Data stewards and securityteams will need to learn to stop saying yes bydefault to requests for access to HR data.HR needs to work closely with IT to understandthe data architecture of the organization beforeit can tighten controls over who can access data,which data they can access and when, and for659%of senior executivesanticipate that the GDPRwill have a businessimpact or even be aglobal game changer. 50mEstimated cost for a largecompany to comply with theGDPR (US 69m). 1m/year stimated cost for a largeEcompany to maintaincompliance with the GDPR(US 1.4m).45%of companies do notcurrently have the toolsto ensure compliancewith the GDPR7.
SUPERCHARGING HR DATA MANAGEMENTHR AND THE GDPR –THE COMPLIANCE CHALLENGEGDPR implications foryour organization’stalent strategyHR’s role in embeddingthe principles of GDPRacross your organization1. Data privacy and GDPR talent(high priority)1. Data governance(high priority)Hire and retain data privacy skills.HR needs a clear data managementstrategy.2. Equip leaders with the right skills(high priority)2. GDPR requires a mindset changeSenior management will need to beaware of the key principles andrequirements of GDPR.Day 1On-going awareness campaignsto ensure compliance with GDPR.GDPR requires changesto HR processes, policiesand procedures1. Build a robust data dictionarywith data sourced from HR(high priority)The data dictionary will be themaster record for answeringany queries.1. Next steps(Day 1 and 2)Build a master data dictionaryencompassing all HR dataelements—talent, workforceadmin, risk and compliance etc.Identify personal data and sensitivepersonal data. Identify where,how and with whom these dataelements are shared.Challenge if sensitive dataelements are business-criticalfor down-stream users.Remediate where necessary.Day 2Culture and behavior changeinterventions to ensure peopletake responsibility for datahandling and help to identifyand respond to risks.Align with new employeedata privacy rights1. New data subject rights(high priority)Realign HR processes with past,present and prospectiveemployees’ new rights with respectto their personal data, such as theright to be informed, portabilityand objection at any time in theemployee lifecycle.2. New data privacystatement (Day 1)Articulate changes to the wayyour organization uses employeepersonal data, as well asemployees’ new rights in a newdata privacy statement.7
SUPERCHARGING HR DATA MANAGEMENTHR CAN HELPDRIVE BETTERDATA SECURITYACROSS THEBUSINESSNot only does the HR function need tosharpen its own ability to manage data(and keep it clean), it should also play an enlargedrole in building a cyber-secure workforce readyfor the digital future. In so doing, it can helpaddress one of the major challenges an FSbusiness faces as the volume and velocity ofdata moving through the enterprise grows.The people in the workforce are, after all,one of the major vulnerabilities inan organization’s defenses againstcyber-threats. Employee negligence andmisconduct remain among the biggestcauses of enterprise data breaches and leaks.Accenture research shows that half of securityviolations are caused by human behavior and 93percent of workers are engaging in at least oneform of behavior that puts data security at risk.8Since HR sets the agenda for workforceplanning, learning and development, andorganizational change, it is well positionedto help the wider organization to implementappropriate data security policies as wellas to embed a cyber-secure culture. What’smore, employees are looking to HR to provideleadership. Three quarters of employees seeinformation security as an HR issue and wanttheir companies to develop better personnelpolicies to help safeguard private company data.9In addition to concerning itself with thesecurity behaviors of the workforce, HRneeds to regard the vulnerability of its HRsystems and data to breaches and leakagesas a people risk. Employees expect theirpersonal data to be securely stored andproperly managed. Cloud-based solutionsand machine learning can support the rollout8An Accenture survey of 275 senior securityexecutives in banking and capital marketsfound that banks experienced an averageof 85 serious attempted cyber-breachesin 2017.10 The year before there were 795confirmed breaches in the financial sectorthat resulted in data loss. The average costof a breach rose 23 percent to 3.7 million.11of comprehensive data protection policiesand systems that boost productivity whileensuring sensitive data remains secure.Three steps to a data-fitHR organizationHR organizations need to look at data protectionand cyber-security as important componentsin their portfolio. Accenture identifies threeconsiderations for FS firms as they seek tooptimize the management of their data,while mitigating data protection risks.1. Get your data under control Engage with IT but take accountability:The CHRO should engage with the CIOand Chief Data Officer (CDO) to ensureappropriate data management and controlsare in place. However, HR should assumeaccountability for its data rather thancontinue to treat it as an IT issue. Evaluate how your data is currentlymanaged, stored and provisioned throughthe organization: Look at HR data acrossits lifecycle, including creation, storage,usage, sharing, archiving and destruction.Each stage of the lifecycle carries differentrisks to be addressed through a combinationof policy, people and technology. Whetherthe organization is retaining data inon-premises HR systems or in the cloud, youshould ensure access rights and delegationpermissions are appropriate to the role ofeach employee. When embarking ontechnology transformation, ensure your dataand data management strategy are keyconsiderations in defining the target state.
SUPERCHARGING HR DATA MANAGEMENTAn FS organization shouldaddress inconsistencies in andfragmentation of its HR databefore moving onto cloud-basedsolutions such as Workday,SAP Success Factors or OracleHCM. It should aim to achievea consistent data managementapproach between legacyand target applications beforeconverting legacy HR systemsto the new platform. Addressingand improving the quality ofHR data in legacy systems canhelp reduce the time that ittakes to move to the cloud.Since the data models aredifferent and there is limitedsupport for custom data setsin cloud platforms, this is acomplex process requiringtough decisions on simplifyingthe data architecture. Thisapproach can, however, createlasting benefit if data qualitylevels are maintained after goinglive on the cloud platform. Thesolution architecture is keyin building a consistent andintegrated enterprise systemsand data environment. Create a data governance committee:This body should drive HR data governancestandards and tasks for data of varyingsensitivity and utility. It should include dataowners from HR, key vendors, a datasteward in HR who is responsible forthe content held within the data, and adata custodian who is responsible for thetechnical environment and controls aroundyour data. Enhance data management: Build a datamodel based on an understanding ofthe critical data and who owns it. Ensurethat your data model is aligned with theinformation relating to your legal entity,company structure and financial structure.Consider implementing data quality toolsto automate the process of improving dataquality at source, especially in recruitmentand onboarding. One example of sucha solution is Accenture’s HR Audit andCompliance tool, which enables users toset up rules to monitor data, use adashboard to review exceptions, andmaintain an audit trail of exceptions. Establish employee and managerownership of data: Ensure that the peoplewith the greatest level of interaction withthe data are assigned as its owners anddefine their roles and responsibilities fromthe outset. Encourage stakeholders to takeownership of their data by implementingself-service tools; for example, managersshould have insight into and control overdata about their teams, while employeesshould be able to update their ownpersonal data and the permissions theygive their employer to use it. Invest in data skills: Build data skillsand confidence in the HR workforceby upskilling colleagues and hiringdata specialists.2. Gear up for more regulation Assess regulations across your markets:Evaluate your cyber-security and dataprivacy maturity against the regulatorydemands of the jurisdictions in which your9
SUPERCHARGING HR DATA MANAGEMENTorganization operates. In some cases, theremay be conflicts or gray areas between theGDPR and local regulations in othermarkets. These laws and regulations needto be carefully navigated. Ensure the right processes are inplace: Implement data storage policiesand processes that take account of theregulations impacting the different typesof data your organization holds.Ensure GDPR controls are built into themanagement of your HR systems; thetransfer of data to external suppliers andvendors; and the management of hardand soft-copy documents. Be transparent: Be open with yourworkforce about the type of employee dataHR collects and retains. Create policies andcontrols that allow the business to gatherand analyze data to drive better outcomes,while giving due consideration to the needto get consent to collect or use certaindata, as well as to employees’ privacyconcerns and their rights under laws suchas the GDPR.3. Build a cyber-secure workforce Educate the workforce: To protect theorganization and the employee, adoptadvanced training methods that raiseemployee awareness and shift behaviors. Change the culture: Build a cultureof cyber-defense that developsand rewards good habits to ensure yourworkforce can identify the risks andrespond appropriately. Assess cyber-security maturity:Determine how deeply cyber-safebehaviors and policies are embedded inthe firm’s culture. Do leaders and managersknow how to nurture cyber-security in theirteams and spot unusual behaviors that mayindicate an employee who is a maliciousactor? Do employees and contingentworkers know what to look out for and howto react?10ENTRENCHINGSAFE BEHAVIORHR could use innovative learning methodsand engaging campaigns—for example,provocative videos, fake attacks, and30-day challenges—to instill cyber-securebehaviors and habits in the workforce.Accenture used this approach at a globaloil & gas company to reach more than90,000 employees in over 50 countries.Following the campaign:89%of employeestook action;87%felt they had highawareness; and.the organizationreduced its phishingvulnerability from36% 8%TO
SUPERCHARGING HR DATA MANAGEMENTCONCLUSION:BECOMINGA TRUSTED PARTNER INCYBER-SECURITY ANDDATA MANAGEMENTFS HR functions can drive huge value out ofthe data they collect and manage. However,they can no longer take a back seat whenit comes to data governance, quality andprotection. To maximize the potential valueof its data, the HR function must recognizethat data is not simply a technologyconcern, but an amalgamation of people,process and business.HR leaders should focus on partnering with the CDO and the CIO toimprove data governance and protection, but they must also takeaccountability for the quality and security of their data. They and theirteams cannot ignore the ethical, privacy, regulatory and technicaldimensions of data protection and quality, and how these impact onthe workforce.The potential benefits to HR of using data more effectively areenormous: transforming HR services, managing workforce cost,enabling greater workforce agility and improving business performance.This is especially true in financial services, given its high-cost, highlycomplicated and highly regulated workforce. Yet unlocking this valuedemands effort and investment in ensuring data is accurate, secureand trusted.Is your HR function ready to tap into the valueof your data?11
REFERENCESCONTACT THE AUTHORS1. “Talent Analytics: Make Informed Talent Decisions withAnalytics”, CEB, retrieved December 15, tmlAndy YoungAgile Organization Lead, AccentureFinancial Services Talent & Organizationandrew.s.young@accenture.com2. “75% of Employees Want HR More Involved in InformationSecurity”, Information Age, September 17, 2016. http://www. ved- information-security-123460186/3. “China’s Emerging Data Privacy System and GDPR”,Center for Strategic and International Studies,23 March, 2018. -privacy-system-and-gdpr4. “Is NZ’s New Privacy Bill a Match for the EU’sGDPR?”, Newsroom, March 15, 2018. s-new-privacy-bill-a-match-for-the-eus-gdpr5. “POPI and Human Resources”, Compliance Online,April 5, 2016. https://www.complianceonline.co.za/1186/6. “California Privacy Initiative Likely to Increase Costs ofCivil Litigation if Passed in November”, Data ProtectionReport, April 23, e-38317. “Preparing for New Privacy Regimes, 2016”, Baker &McKenzie. Cited in Digital Marketing Magazine, 2015.8. “Accenture Security Index”, Accenture, 2016.https://www.accenture.com/t20170406T041440Z w /us-en/ w.pdf#zoom 509. “75% of Employees Want HR More Involved in InformationSecurity”, Information Age, September 17, 2016. rmore-involved-information-security-123460186/10. “Accenture Report: Banks Confident in CybersecurityCapabilities But Lack of Real-World Testing Leaves Gapsin Their Defense”, Accenture April 19, 2017. efense.htm11. “2016 Data Breach Investigations Report,” Verizon, ports/rp DBIR 2016 Report en xg.pdfJOIN THE CONVERSATIONRead our blogLinkedInTwitterCopyright 2018 Accenture. All rights reserved.Accenture, its logo, and High Performance Deliveredare trademarks of Accenture.Yorrick BakkerTechnology Consulting Manager,Accenture Financial Services Talent& Organizationyorrick.bakker@accenture.comMarc Le ClaireManagement Consultant, Accenture FinancialServices Talent & Organizationmarc.le.claire@accenture.comSusan RiceManagement Consultant, Accenture FinancialServices Talent & Organizationsusan.rice@accenture.comDavid BoydManagement Consultant, Accenture FinancialServices Talent & Organizationdavid.boyd@accenture.comThomas GoodacreManaging Director, TechnologyConsulting, Accenture FinancialServices Talent & Organizationthomas.w.goodacre@accenture.comMel LeeManaging Director, Accenture FinancialServices Talent & Organizationmelanie.lee@accenture.comABOUT ACCENTUREAccenture is a leading global professionalservices company, providing a broad range ofservices and solutions in strategy, consulting,digital, technology and operations. Combiningunmatched experience and specialized skillsacross more than 40 industries and all businessfunctions – underpinned by the world’s largestdelivery network – Accenture works at theintersection of business and technology to helpclients improve their performance and createsustainable value for their stakeholders. Withapproximately 442,000 people serving clientsin more than 120 countries, Accenture drivesinnovation to improve the way the world worksand lives. Visit us at www.accenture.comThis document is produced by consultants at Accentureas general guidance. It is not intended to provide specificadvice on your circumstances. If you require advice orfurther details on any matters referred to, please contactyour Accenture representative.
The data dictionary will be the master record for answering any queries. 1. Next steps (Day 1 and 2) Build a master data dictionary encompassing all HR data elements—talent, workforce admin, risk and compliance etc. Identify personal data and sensitive personal data. Identify where, how and with whom these data elements are shared.
