IT giant Dell EMC used its recent merger as an excuse to get an early run at GDPR compliance.
Speaking at Workday Rising in Barcelona last week, Paul Hogan, senior manager HR data governance at Dell EMC talked about how the company has prepared itself for the new regulations and the opportunities that getting their data and processes in order presents to the business.
Dell EMC, the recently merged IT company, found itself in a unique position surrounding GDPR and compliance. Having just completed a merger in September 2016, preparing for compliance gave Hogan and his team the opportunity to audit all data, systems and processes to essentially kill two birds with one stone: start consolidating some of its backend systems under the new company umbrella and prepare for the May 2018 compliance deadline.
He said: "We realised very quickly that the systems and how we managed and structured our data were extremely different.
"So we had an 'oh crap' moment that there were so many systems that we needed to monitor and look at and determine where we needed to go with GDPR that we really had focus from early summer last year."
Hogan used the impending regulation as a means to pitch the business for a new data governance platform, namely, Workday's Human Capital Management (HCM) software.
By adopting Workday, the organisation was able to start bringing employee's personal and financial data into a single platform before going live with the SaaS product in October.
Hogan explained: "So we are retiring multiple systems now to go towards Workday and that did an awful lot of the heavy lifting for us. We still have our integrations where we send data to Salesforce, to our finance teams, to our facilities, to outside providers, but a lot of it works through Workday, which as a governance platform gives us visibility into that."
This has some serious advantages in preparing for GDPR, especially with data traceability and the fiddly issue of notifications of consent.
As Hogan explained, this would be a "headache" for companies that use multiple systems to support their HR. "Having multiple systems and controlling consent notifications will be quite complex," he said. "We feel it is a lot simpler to do from one system."
For data traceability, Workday has given Dell EMC "one point of view to where our data sits, through reports, integrations and downstream systems that consume the HR data which, when you bring the two companies together, is nearly 300," Hogan said.
"In our Montpellier office employees can pay for lunch with their badge," he added. "That data is stored in a desktop under the counter. If we terminate an employee we need to remove that data. So knowing where data sits is the largest thing and now the traceability we have with Workday means we have 80 percent of downstream sources [accounted for]."
By consolidating around Workday the organisation can start to set roles, responsibilities and consents around data, set guardrails around analytics and how they consume data, and ensure employees know what data is used for when they are entering it.
Hogan has been busy "processing the hell out of this", as he put it, taking every task that involves data and creating a flow to see where the data governance falls and how it will be managed and stored. This allows him to see "end-to-end each case for each request, which allows us to manage it and be ready for anything."
The important thing for Hogan is educating employees of their data responsibilities when moving data around.
"We are going to be putting a practice in place where we make every single employee aware of what their responsibilities are with GDPR," he said.
"If you are a processor of data and take it offline and put it on your C Drive and that laptop is lost and someone exposes all of that HR data, then there are implications. We have to make sure they are aware of those implications and enhance the awareness that there is a responsibility on them as well."
So is Dell EMC fully prepared for GDPR? Not quite.
Dell EMC is running a four day workshop in December. "Honestly we probably need 15 days," Hogan said. "We have a lot to do, right down to who contacts the regulator."
"We have documented 16 points of entry for employees to say 'I want to see my data' or 'I want you to delete my data', so that is a lot to do to make sure we can support that request within the agreed SLA."
"I would say we are 70 percent of the way there," he said, with the aim to be compliant by March.
Beyond GDPR compliance Hogan sees this whole exercise as beneficial for the organisation in the long term.
"We took it as an opportunity to future proof how we manage data," he explained. "Future proof how we look at compliance with regulations and improve the quality of the data.
"So I don't think we are just going to look at this from a GDPR perspective but we want to go beyond that and make sure we can manage data in a more mature fashion, so that we can do analytics, we can serve our employees better."