Denis Pennel, managing director World Employment Confederation on the need for balanced regulation
The HR services industry has always gathered significant amounts of data in the course of its work: data from candidates and workers and data from client companies and third parties. Some of this data is sensitive. It relates to people’s personal circumstances and includes information on their financial and legal status. All of this data needs to be managed in order to protect people’s right to privacy.
Increasing challenges have emerged in recent years. Firstly, labour markets have become increasingly digitalised, meaning that personal data and information is exchanged more quickly and easily. Secondly, the number of players involved in managing talent supply lines and workforces has grown, with the result that the roles and responsibilities for managing data at each step in the process have become more complicated and uncertain.
In addition, over the past decade, lawmakers and Data Protection Authorities around the world have taken regulatory action to address data protection – most notably in Europe, with the wide-reaching General Data Protection Regulation (GDPR), that came into force in May 2018.
GDPR is a broad, high-level regulation. It does not provide concrete guidance for its application across all sectors. In the months after it came into force we were receiving clear signals from the market that many of our members and their clients were still unsure as to their respective responsibilities under the new law. The lack of clarity led some players to allocate responsibilities that were detrimental to the protection of workers’ personal data and to compliance with GDPR and a level playing field. It also placed unnecessary burdens on the uses and sharing of personal data to ensure the optimal deployment of talent.
Confusion also abounded at country level as some national data protection authorities were unsure as to the how to classify employment agencies. In attempting to implement GDPR, some authorities did not give adequate thought to the sound functioning of labour markets, services and regulation. In some instances, employment agency clients were seen as data processors for the agency and so would have become data protection suppliers to the employment agency.
It was clear that despite having regulation in place our members and their clients needed support. They wanted to understand which party held worker data and was responsible for it. World Employment Confederation’s Data Protection Taskforce recognised that we needed to take action to ensure appropriate data processing within the HR services industry – not only to the benefit of workers but also to safeguard our sector’s reputation as a responsible provider.
This resulted in us releasing our own set of guidelines to support HR Services providers and their clients in navigating data protection rules. The WEC guidelines on the allocation of ‘Independent Controller’ or ‘Processor’ as HR-Provider describe a variety of typical HR services and determine the roles and responsibilities of each with regard to data protection. The services outlined include: recruitment, agency work, career management, outplacement and different forms of total talent management (MSP, RPO and Vendor management).
The guidelines are designed to support our members in implementing protection of workers’ data depending on the relationship in place. By allocating this appropriately, parties reduce the risk of being accountable for each respective (mis)management of personal data. They also ensure that each party defines its own purposes and ground for the personal data it wishes to collect and use.
While World Employment Confederation’s guidance can support the protection of labour market personal data and compliance with GDPR, the compliant allocation of responsibilities is determined by the actual provision of services on the ground. Our guidelines promote informed conversation on the allocation of data protection responsibilities between clients and HR providers. They also serve to show regulators where labour market services and data protection intersect. Ultimately, HR providers must continue to tailor their relationships in a way that optimises the human resource needs of their clients.
With labour market personal data evermore digitised, so the risks related to its use or disappearance are of growing concern. Employers and HR providers have a responsibility to ensure the confidentiality of both workers and society. Taking on board the adequate and compliant protection of personal data in the delivery and procurement of HR-services makes common sense and is a necessary step.
A pragmatic approach
International data flows act as an enabler of the global economy. The digital economy has no borders and neither does GDPR – when personal data flows outside of the EU, the GDPR protections flow with it.
Obviously, it is important to uphold the systems and mechanisms that enable this international protection. However, regulation must strike the correct balance between allowing a free flow of data and offering adequate privacy protection. It needs to recognise which data flows are of potential interest to law enforcement authorities and not be too over-zealous in the way in which they are interpreted.
The current approach of the European Data Protection Board is too heavy handed. It treats all data flows as of potential interest to law enforcement authorities – regardless of their context – and threatens to stifle Europe’s ability to be fit for the digital age. Regulation that is so cumbersome as to hamper the free flow of data will ultimately have a negative impact on digital trade and the benefits that it brings to our society.
World Employment Confederation spoke out against the approach at the end of 2020. We joined forces with Business Europe and over a dozen other European trade associations in calling for the Board to revisit it in order to safeguard Europe’s data flows and better align them with the GDPR, recent rulings of the European Court of Justice and the European Commission’s draft Standard Contractual Clauses. We continue to also promote a reasonable grace period before this new framework comes into effect in order that data exporters have chance to evaluate whether a third country’s legal regime is essentially equivalent with GDPR.
As we look ahead to a post-Covid era it will be more vital than ever that different regions around the world are able to work together in a spirit of cooperation. We must guard against privacy regulation that forces countries to be inward looking. Instead, we must encourage a risk-based approach to privacy protection that takes into account the full context of data transfers. World Employment Confederation believes that we need to continue to rely on contractual and organisation measures in safeguarding data and to develop workable, technical solutions that ensure that in the future, personal data can be leveraged to the benefit of both workers and businesses.