We take advantage of the visit made to Spain by José Alberto Rodríguez Ruiz, Data Protection Chief of Cornerstone, a profile similar to the Anglo-Saxon CDOs, to know what new law will bring in order to enable and harmonize individual privacy rights throughout the EU .

Cornerstone started in Santa Monica (California) in 1999 just after Salesforce started the cloud computing era with a new CRM model that none of the big players were worried about. They chose the path of online training (eLearning) and talent management. Today they are positioned in the magic quadrant of Gardner as leaders, despite being a niche company, shadowing companies with human capital suites (HCM) such as SAP or Oracle. “The only two reasons are to have many customers or to have a great innovation and technology, and both premises we fulfill,” explains Carlos Rivera, head of sales of Cornerstone in Spain. “We manage a large volume of information of more than 32 million people with an average of 10,000 registrations per company, unified in a single global database. This allows us to provide algorithms that allow us to make benchmarks based on anonymised data that, in a matter of seconds, give managers relevant information about their situation regarding the averages of their sector, as well as generate parameters and draw conclusions on how they will affect simulation of scenarios based on predictive factors “.

In Spain, where they have been present for seven years, they have companies with tens of thousands of employees, such as Santander or BBVA, to companies of several thousand such as Cellnex or Eroski. It must be specified that Cornerstone not only feeds on employee data, but also external users, hence its large volume. The tools provided by Cornerstone OnDemand really accompany the lifecycle of an employee throughout his tenure at the company: recruiting (job openings , resumes, contact), learning (content, results, records), performance (from compensation , salaries and objectives, to career plans, skills and competencies) andHR (contact information, bank details, medical data, organizational data …).

Talent management has evolved over the past 20 years: if in 1995 they were specific applications for a particular HR process, in 2005 it was already betting on an integrated system of modules that complemented various actions, but it was not until 2015 that it started to apply the option of data-driven , that is, the power to make decisions based on objective data rather than intuitions .

The algorithms Cornerstone apply to multiple aspects of HR. They are able to calculate the disposition and potential of each employee for a given position in cases of succession , or to show in a predictive way the most logical route in a career plan which allows on the one hand to motivate and retain the worker and on the other to facilitate the choice of the most suitable formations. But not done with an eye for someone in HR, but with percentages obtained in seconds and based on information that drinks from all modules, work that otherwise would take weeks or months to get. Of course, first it takes at least a year to feed the database history in order to start giving reliable results.

“In this sense and in the use of particular information of employees we are impacted completely by the new general regulation of data protection of the EU, the RGPD , and although it is called data protection I would define it before as the law of protection of persons , because when we talk about data we’re talking about people, and basically it’s about preventing abuse by misusing them, “Rivera says.

It all depends

Nine months remain until the RGPD comes into force, and companies must know what they will be required to use and safeguard from May 25, 2018 . Spain has the advantage of a LOPD that has been in force since 1999 and which transferred the initial European directive of 1995, has been forcing companies to adopt a number of measures in this regard there is a certain culture relating to ensuring the privacy of the data . But, are they prepared for the implementation of the RGPD? This law updates many assumptions and brings a number of changes, the most significant of which was commissioned to deploy them José Alberto Rodríguez Ruiz, Data Protection Chief of Cornerstone(by the way, the only department that is outside the US, specifically in Paris, which gives an idea of ​​the importance that the company gives to the new European legislation).

“To offer an image that would allow me to explain simply and graphically what this law is, I have chosen the one of a croquette : no doubt a food based on very basic ingredients, which then admits multiple interpretations (but none like those of the grandmother)” . And the CornPO DPO clarifies: “The basics are knowing when to collect data, how they should be processed, and what rights are derived. The different thing is in the event that there is a leak of data how the authorities assess the penalties, that if in the current Spanish legislation could reach 600,000 euros, with the new RGDP can reach 20 million euros or 4%of the last annual turnover, the greater. The same principles can be applied differently, depending on context, quantity or sensitivity. Often the only answer we can offer is a … it depends . ”

In fact, the fine imposed a few days ago to Facebook in Spain of 1.2 million euros (actually the sum of two concepts of 300,000 euros each and another of 600,000) for the misuse of user data for advertising purposes. “That would certainly have been much more so with future legislation, which would act in a more dissuasive way on this type of practice. We own our data as we are from a car or a house. Our data are contained in multiple organizations, the difference is when they are voluntarily assigned or there is a prior consent. It is not the same to join a list to receive an electronic newsletter to track your browsing history to draw conclusions about your ideology, religious, sexual or even medical interests. In France, if you want to apply for a mortgage loan with payment insurance, the insurer requires a medical report that includes an electrocardiogram and a blood test for your grant; and is the country of freedoms and human rights. Undoubtedly, the guarantees of custody of this data should be extremely strict and should be used solely and exclusively for the aforementioned purpose: only the data that is needed will be used . ”

The companies with Diogenes syndrome will have a bad time with the RGDP: it will not be worth collecting all the possible data that goes by although we do not know how we will use them or if we will ever use them, just in case: they need a purpose . But in addition, they can not be kept forever: they must be erased after a whileof its use. “This is a delicate point of the new law, because it often does not serve a simple deletion of the database, the data are usually linked to other data, and breaking that chain without mismatch the application or start to make mistakes is not so simple. That is why practically nobody does it. We have already worked on incorporating these considerations into the development cycle of our software, improving the anonymization and erasure capabilities, “says Rodríguez Ruiz. “Another concern is to treat security and prevent data leakage by establishing automatic mechanisms and timely protocols of good habits, it is done with the naturalness with which one puts a helmet on entering a work.”

The RGDP gives a lot of flexibility, because it does not say how many years the data should be saved, if three or five. It also speaks of the creation of a new figure, the DPO (data protection delegate), who will be responsible for implementing compliance, conduct the assessment of the impact of custody and data leakage in companies, be the contact with regulatory authorities. But it opens the door for you to outsource your services as an outside consultant. “However, not all companies will be able to incorporate this profile, but there is no logic that prevents them from having companies that handle more than 5,000 clients and have data of 30,000 people, in the RGPD no guidance is given, only it is required”.

Finally, another innovation that brings the RGDP is that while the obligation to keep the data was the responsibility of the final company, now responsibility also extends to the entire chain of suppliers . “Before you could have your own servers or have your data hosted in a specific datacenter, and blame the other, but now with the cloud the law wants to ensure that the responsibility for the data falls on all those involved, wherever the data”.