How to make GDPR and ONA work together?
GDPR and ONA complement each other - how ONA insights are used, depends on the culture of the organization.
Searching online for ONA (Organizational Network Analysis) gets you various definitions, including those with curly math symbols and graph theory. However, in a nutshell, ONA is about who communicates to who in an organization.
Although ONA is regarded as one of late buzzwords, it can be traced way back at least in the 80's. In 1985, George Barnett and colleagues, wrote an article that addresses ONA at different levels of organizational hierarchies. The abstract below gives more clue.
Obviously, at this time and later, the privacy aspects of ONA were of little or no concern. However, the situation changed slowly and then much faster with the EU General Data Protection Regulation (GDPR). Since there have been a lot of articles and discussions about GDPR itself, we will not delve into much more details further.
ONA in your organization!
ONA is a tool that helps organizations transform towards better world in regards to People Analytics. Organizations interested to evolve and adopt in today's VUCA world, are all in. Still, end-users tend to be reluctant, voicing privacy concerns. One thing is clear, every technology can be used for good or bad, and ONA is no different.
There are employees who believe that ONA insights will cause personal or career related harm. These employees are outspoken and discuss how their privacy is in danger. Then, these voices get amplified by Workers' Councils - all in the name of privacy. However, ONA insights enable employees, among others, to make an impact in their own organization and develop personally. It is down to company culture or HR practices how ONA insights are used. This is no worse from whisper coffee-talks about judging colleagues' professionally and personally. In fact, fear of own company culture is the core why some employees are reluctant on ONA.
This is not to say that ONA should not address privacy, quite the opposite - it is Business and Product Managers' responsibility to build products with privacy in mind, in GDPR terms this is called 'data protection by design and by default'.
GDPR requires explicit user consent to develop ONA insights. While ONA insights can be calculated with a proportion of employees not opting-in, there is a needed critical mass of employees who give user consent in order to enable acceptable and reliable ONA insights. Therefore, before starting with implementation and asking for consent, raising awareness about ONA in your organization is of paramount importance.
Addressing data privacy at its core is everything but simple!
The key change with the GDPR is that data protection by design and by default is now a legal requirement. The ICO notes that:
"The GDPR requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights."
This approach starts from infrastructure all the way to UI. Having such a wide span of implementation focus, it makes the implementation hard for organizations - especially to build it on top of existing products and services.
Luckily, GDPR provides high-level solutions in the form of anonymization, and more importantly, pseudonymisation. The IAPP defines pseudonymization as:
"Separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately"
For privacy-aware product implementations, this means that Personally identifiable information (PII) data must be separated by design. Obviously, the next question is: what PII means? This question is in its process of being defined - one of the concepts is presented here as PII 2.0. However, organizations are expected to do their best to address the topic of PII and privacy - the excuse that PII is not well defined will not help your organization in court. There are various ways of addressing PII and pseudonymisation, however the best ones incorporate security, encryption, and confounders (as much as possible). By definition, PII confounders are the hardest to tackle and this research paper shows how easy it is to infer about PII.
In regards to pseudonymisation (assuming your organization has addressed PII as best as possible), the safest way to pseudonymise data is to use hash values, data encryption, and applying so-called defense in depth approaches.
How to pseudonymise data to be used for ONA products?
First, security or defense in depth concepts need to be implemented. Defense in depth is:
a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.
In our case, it means that PII data must be separated with multiple layers of security controls, making it hard to reach PII information. This is done through implementing: different VLANs, encryption, hashing, hardware separation, authentication, etc.
Once PII fields are identified and security-in-depth laid down, the following technical steps can be applied:
These steps ensure that your organization has done its best to address data protection by design and by default, which is a legal requirement under GDPR.
As an overview, the diagram below shows a wider and simplified version of above:
ONA features related to summary statistics and team-related metrics work similarly. Privacy and PII concerns are more relaxed and anonymization can be used.
Conclusion
It is possible and viable to provide ONA related services that are GDPR-aware and follow best privacy practices. The expectation mismatch of end-users is mostly related to misunderstanding of ONA, internal culture, assumptions, and negative vibes with all that is happening related to data privacy. The culture in organizations make or brake ONA insights, not the opposite. The after-ONA phase and how organizations make use of ONA insights (and other decision-making information) must be of employees' concern. ONA gives means to employees to drive their own interests and culture, rather than hope for the best and wait what happens during whispering coffee-breaks or offsite decision meetings.
__________________________________________________________________________
For more information on ONA at Haufe, please see our Article Series.
Let's make your first steps towards carbon neutrality and develop your culture towards sustainable management
5yOne additional challenge is to pseudonymize the optin-process in itself. It shouldn't be possible to identify who agreed to share his personal data for ONA-purpose and who did not. At Swisscom we used a third party to garantee this Level of privacy