GDPR has finally arrived and many clients and suppliers, including providers of workforce planning software, are struggling to agree their responsibilities. The regulations cover such a wide range of organizations, from those that manage mass marketing campaigns, through to ones that hold highly sensitive personal data, such as credit card or health records; it is difficult to settle on a realistic interpretation.
GDPR draws a distinction between the key roles of data controller and data processor. The controller role clearly belongs to the organization that employs the personnel whose data is being managed. They are responsible for ensuring that their staff are happy with the data that is stored about them and for responding to review and deletion requests.
In the relationship between workforce planning software clients and vendors, the data processor role is much less clear. The vendor generally has no role in the actual processing of the client’s personal data, which is done by the client’s users of the system. For an on premises system, where the vendor has no online access to the data, the vendor clearly has no role at all in the processing of personal data. Only if the software is hosted by the vendor does a data processor role emerge.
GDPR describes the data processor role as having access to the personal data, with the ability to update it, process it to produce reports and import / export it to other systems. However, most client contracts specifically prohibit the vendor from performing these functions, unless instructed as a one off exercise to fix a software fault. So the data processor role for most software vendors will be restricted to ensuring the safe storage of the client’s data, when they host the system.
There is also some confusion over the sensitivity of the personal data stored. Most workforce planning systems only handle less sensitive data, such as individual’s names, their job description and skills, and where they sit in the organization. This can hardly be considered highly sensitive, so the implications of any data breach will not be too serious. Occasionally, personal salary or cost rate data will be stored which, of course, warrants closer attention to data security.
So the impact of GDPR on workforce planning software vendors should not be too severe, but it is early days and who knows what unintended consequences will emerge.