GDPR has finally arrived and many clients and suppliers, including providers of workforce planning software, are struggling to agree their responsibilities. The regulations cover such a wide range of organisations, from those that manage mass marketing campaigns through to ones that hold highly sensitive data, such as credit card or health records; it is difficult to settle on a realistic interpretation.
GDPR draws a distinction between the key roles of data controller and data processor. The controller role clearly belongs to the organisation that employs the personnel whose data is being managed. They are responsible for ensuring that their staff are happy with the data stored about them and for responding to requests for review and deletion.
In the relationship between workforce planning software clients and vendors, the data processor role is much less clear. The vendor generally has no role in the actual processing of the client’s personnel data, which is done by the client users of the system. For on premises systems, where the vendor has no online access to the data, the vendor clearly has no role at all in the processing of personal data. Only if the software is hosted by the vendor does a data processing role emerge.
GDPR describes the data processing role as having access to the personal data, with the ability to update it, process it to produce reports and import/export it to other systems. However, most contracts between clients and vendors specifically prohibit the vendor from performing these functions, unless specifically instructed as a one off exercise to fix a software fault. So the data processing role for most software vendors will be restricted to ensuring the safe storage of the client’s data, when they host the system.
There is also some confusion over the sensitivity of the stored persona data. Most workforce planning software only handles less sensitive data, such individual’s names, their job description and skills, and where they sit in the organisation. This can hardly be considered highly sensitive, so the implications of any data breach will not be too serious. Occasionally, personal salary or cost rate data will be stored, which, of course, warrants closer attention to data security.
So the impact of GDPR on workforce planning software vendors should not be too severe, but it is early days and who knows what unintended consequences will emerge.