Feeling appreciated and recognized at work is a wonderful thing—and not just for the employee, but for the company as well. In fact, organizations investing in strategic recognition programs can increase employee engagement scores up to 37 percent, according to a recent report from Reward Gateway and Josh Bersin, an independent global industry analyst and dean of the Josh Bersin Academy. And the 2017 Gallup State of the American Workplace report found that businesses with high employee engagement reap a host of benefits, including reduced absenteeism, turnover, and shrinkage; 17 percent better productivity; 20 percent higher sales; and 21 percent greater profitability.It’s clear that no business can afford to neglect employee engagement in today’s competitive marketplace. But what it means to have a successful employee reward and recognition program is changing, thanks in part to the European Union's new data privacy rules, known as GDPR (General Data Protection Regulation).
GDPR became enforceable on May 25, 2018 and impacts not only European countries, but also companies in the United States with clients from the EU, and those with dual citizenships. Under GDPR, businesses are required to protect “personal” employee data, including names, photos, email addresses, phone numbers, addresses, and personal identification numbers, as well as IP addresses, biometric data, mobile device identifiers, and other types of data that could potentially be used to identify an individual.
The United States is already following the EU’s lead. In January 2020, the California Consumer Privacy Act (CCPA) took effect, marking the nation’s first statewide data privacy law. But the CCPA affects more than just California. Because of the sheer number of residents of the state, most businesses in the country will be forced to comply. Under CCPA, companies must be transparent about data collection, and give California customers the option to prevent their information from being sold to a third party. Those not in compliance could face fines of up to $7,500 per violation.
With these regulations coming into place into Europe and now the U.S., organizations are rethinking their approach to reward and recognition programs and developing or adopting recognition software platforms that comply with the unique demands of GDPR. Some companies, like Madison, a global leader in social recognition solutions, have already adapted their programs to ensure that they conform to GDPR, don't sell any data, and provide 100 percent data transparency. With its newly enhanced cloud-based SAAS solution, MaestroCONNECT, Madison has created user-friendly, push and pull data environments that also operate within the bounds of data-sharing and data privacy regulations.
In the biggest technological change brought forth by GDPR so far, any social recognition components of a software platform must now be customizable to meet the specific local requirements of each country or region where a company does business.
In fact, social recognition, long a key component of employee recognition programs, is directly in the line of fire for GDPR. The crux of the issue is that these programs are driven by the kind of employee recognition that is promoted by everyone—not just leaders—across an organization. Like Facebook or LinkedIn, social recognition programs encourage people to engage with and support their peers, which in turn strengthens the bond between an organization’s culture and its people. Accomplishments are shared and celebrated not just between a manager and a direct report, but among peers and teammates, who can contribute to a recognition by adding an e-card or a video or audio component for all to see. Now, GDPR is changing this landscape drastically.
“Depending on how flexible or not flexible your system is, many organizations have been scrambling to make changes in order to accomodate GDPR,” says Alex Alaminos, Madison CEO. “A social recognition system in the market today has to have the option to send an employee recognition privately or publicly. It has to be so configurable that you can easily turn on or off the social activity aspect—the ability for me to give you an e-card that can go into an activity feed, for example—depending on a company’s location.”
Even the commonplace practice of recognizing work anniversaries, birthdays, and other milestones may be in violation of GDPR without specific opt-in by the employee. Celebrating an employee’s birthday may seem harmless enough, but from a privacy perspective, a birthday can be critical personal information: After all, it's usually one of the key security questions companies ask for when verifying someone's identity. And even if one piece of data doesn’t establish an individual’s identity, it could become relevant alongside other data. Defining who has access to this information will need to be part of the employee consent document.
There are many other aspects of social recognition that must be reconsidered in light of GDPR. For example, using popular social media sites like Facebook and LinkedIn to highlight employee accomplishments was once considered a highly visible yet low-cost method of showing support, not to mention an innovative way to shine a positive light on your company. With GDPR, that practice is completely out the window now.
But just because employee recognition programs must adapt does not mean they will suffer under GDPR. It simply means that implementing, managing, and maintaining such programs will require extra steps. Companies must now ask employees to officially opt into recognition programs, with a clearly written, stand-alone document explaining the type of data being processed, how it is being processed, who will have access to it, and when it will be removed. Under GDPR, employees now have the ability to opt out of recognition programs altogether, or to request that their data not be shared or made anonymous.
For countries that are extremely restrictive in their interpretation of GDPR, the new laws have triggered a return to the more traditional approach to employee recognition that was in place before social recognition. For example, a manager can still recognize their direct report, but it must remain between the two of them and others may not contribute to that recognition. For many employees, workplace recognition means the most when it comes from a direct supervisor anyway. In a recent BambooHR survey of 1,000 U.S.-based, full-time employees, 75 percent of employees who were recognized by their manager once a month reported being satisfied with their job, while 85 percent of those who were recognized weekly reported being satisfied.
GDPR is also having an impact on the relatively new concept of “being yourself” at work. Many businesses today pride themselves on cultivating an environment where employees are encouraged to bring their authentic selves, or whole selves, to work every day. And companies are rewarded for this: Studies show that being yourself at work drives engagement and increases job satisfaction and performance. But creating such an atmosphere is easier and more effective when organizations have the ability to capture and share certain personal information about their employees. Now, any internal groups, clubs, or member collectives will need to be carefully considered as they may disclose sensitive data as defined by GDPR.
Again, this is not to say that organizations can no longer foster a culture of authenticity at work. It just means that under GDPR, organizations will have to work harder to do so and be more creative in their methods.
Adapting your employee recognition approach to comply with GDPR may seem like a daunting feat, but with the right strategy, you can design a system that meets your needs globally and your employees’ needs individually. Partnering with a recognition solution that is GDPR compliant as well as a provider who is an expert in data privacy and GDPR is a great first step that will leave organizations well-positioned for both short-term success and long-term compliance.
If you have or are in the market for a social recognition program, GDPR needs to be on your radar. By speaking to experts before selecting a system, your organization will be empowered to take control of compliance and build a strong foundation for GDPR-compliant employee data storage.