When organizations apply data protection requirements in People Analytics, there are certain risks. With Anna Horvath, Director and Head of Compensation and Benefits at Assa Abloy, we talked about how organizations can reduce these risks.
She emphasized that setting-up governance, risk and compliance (GRC) framework and tools are crucial for organizations to meet the legal data privacy and ethics requirements.
In this interview, discover her recommendations on how organizations can start the journey towards privacy and ethics in People Analytics.
Hyperight: Can you please tell us more about you? What are your professional background and current working focus?
Anna Horvath: I am originally from Hungary, have lived in the Netherlands and the UK before moving to Sweden. I studied organization sociology and got my first internship in HR controlling, and since then I am operating in HR reporting, compensation and benefits, and HR compliance and governance. I had my adventures in the oil and energy sector, as well as in the wholesale retail industry and in 2018 I joined ASSA ABLOY Group`s headquarter in Stockholm. Until recently, I was responsible for data compliance and governance in global HR processes, including analytics. Since April, I hold the Group Head of Compensation and Benefits role, still taking accountability for the HR governance and compliance activities via my team.
Hyperight: At this edition of the Nordic People Analytics Summit, the topic of your presentation will be “Privacy and Ethics in People Analytics”. What can the delegates at the event expect from your presentation?
Anna Horvath: I would like to show how ASSA ABLOY utilizes the GRC (governance, risk and compliance) framework and tool to meet data privacy and ethics requirements in People Analytics. I will bring real life examples and hands-on solutions to manage the always changing and demanding global legal environment of data protection.
Hyperight: In your presentation, you will speak more about how organizations comply in practice with General Data Protection Regulation (GDPR) and other data protection requirements globally. You will introduce the risk-based approach for that. Can you tell us more about this approach and its importance for organizations?
Anna Horvath: Applying a GRC framework with the right tools can enable the organization to meet data privacy and ethics requirements while making people data analytics smooth and seamless. A good GCR framework identifies, reduces and manages data privacy risks in a continuous manner on all levels in the organization.
Hyperight: What are the risks organizations may face when applying data protection requirements in People Analytics, and how can they reduce these risks and ensure ethical data utilization?
Anna Horvath: HR is working with employees candidates personal data, time to time sensitive personal data. In People Analytics, normally aggregated data is analyzed and presented, however those aggregated data are coming from personal data. It is crucial to ensure when data is being aggregated, and whether the right safety measures are applied.
Who has access to the data? Is it possible to drill down? How is the data collected? What is the aim of the data collection? How is it aggregated? Is it anonymized? etc.
Data protection laws are strict, and data protection authorities, as well as workers councils, are keeping their eyes on the organization to comply with the requirements.
Hyperight: How can organizations set up this risk-based approach in People Analytics?
Anna Horvath: Set up a GRC framework, and identify the tools that are best fit for the organization.
Define clear processes and responsibilities.
Hyperight: You will also speak about privacy by design, where privacy becomes a significant factor when designing new products and services. How is this possible in People Analytics when covering global privacy requirements?
Anna Horvath: Data is collected and analyzed in a system. Excel is a system as well. That system shall be designed in line with the data protection requirements. We don’t always have to think about complex technical solutions: Have the right access management in place. Have the right data storage in place. Have the rules of sharing the data in place.
If the organization has an HR information system, then take data privacy requirements into consideration at every step of the configuration and implementation of the system.
Hyperight: What are your recommendations to those thinking of applying privacy and ethics in people analytics? Where should they start, and what to pay attention to?
Anna Horvath: Start with the basics, check the relevant legal requirements and apply the necessary changes on the processes and systems. The first step is to understand the risk, for example, by carrying out a gap analysis between what is in place and what shall be in place. After identifying the most pressuring items, then it is possible to start to bring the solutions.
Hyperight: What’s the best advice you’ve received during your career, and what would be your advice for anyone interested in starting their career in data, people analytics and data-driven HR?
Anna Horvath: One of my favorite pieces of advice, which is very relevant when it comes to data-driven HR and People Analytics, has been: You need to have and understand the box before you start thinking outside of it.
I think it is important to get the basics right and operate well before we start applying changes and bringing in creative ideas. In data protection, you follow the rules.