GDPR and it’s Impact on FP&A Employee Compensation Planning
May 25th, 2018 is one of the most historically significant days in the information age. Yet, it will go mostly unnoticed, unless you are a citizen of the EU or work with data security for a multinational company. This Friday, the General Data Protection Regulation (GDPR) goes into effect.
What is GDPR?
GDPR is regulation enacted by the European Union (EU) granting the most comprehensive protection of personal data to-date. Companies are now required to comply with specific requirements set by the legislation. Failure to do so could result in a fine of up to 4% of annual global revenue or 20 million euros, whichever is greater.
The data in question is personal information of those who reside in the EU. More importantly GDPR applies to companies that reside outside of the EU while conducting business in the EU.
Many large companies are aware of GDPR and have created the processes to ensure compliance when handling personal information, especially if they have operations in the EU or handle data of EU citizens. American companies without any European presence should also take notice. US legislation won’t be far behind given the recent data leaks and security breaches.
What does GDPR mean for FP&A’s employee compensation planning?
In terms of FP&A’s planning cycle, there’s one area that GDPR will have the largest impact: employee compensation planning. In the past, I’ve been part of many design discussions on compensation planning and in almost all instances, planning at the employee level has been a requirement.
The driving force behind this requirement is often supported by the myth: granularity implies greater accuracy. The need for this level of detail ignores the fact that employee-level compensation planning creates the following complexities:
1. Data Security
Movement of employees within the organization for planning purposes becomes increasingly complex when cost center owners have access to sensitive information, like employee compensation.
2. Level of Effort
When the effort to manage employee actions, such as hiring, promoting, or transferring employees, increases it takes away from the overall value of work.
3. Application Performance
Regardless of the tool you use, an increased number of employees within the model implies there will be more data in your application. Many large companies reach a point where the amount of information is so large it has a negative impact on performance of the tool.
In the past, these complexities were mainly an internal concern, yet now with GDPR in place, any misuse of employee information may result in fines hurting the overall performance of the business. There may be instances where you have a strong justification for FP&A in your organization to go down to employee-level detail. Before making that decision, you must ask yourself: Is it worth the risk?
What is the alternative to compensation planning at the employee level?
It would be wrong for us to leave you without providing methods to mitigate your risk. Here are two key considerations:
1. Use Roles or Positions, instead of Employees, to plan at a higher level of detail
Simply masking each employee’s unique information (e.g. name, employee id #, etc.) may not be enough. If you only have a couple employees within a cost center, it allows for employee identity to be obvious to others. By summarizing how the positions and/or roles are organized, you can make it even less obvious to associate an employee to a specific role.
2. Mask compensation metrics (i.e. salary, bonus, etc.) by using averages or estimates
Despite your dedicated effort, forecasting will never be 100% accurate. Embrace this fact by using a rough number that is directionally correct. Your end-result will still provide insights without the risk of breaking GDPR compliance.
Your main takeaway about GDPR should be its profound impact on making business decisions. When it seems like it’s another piece of legislation causing you headaches, know it’s the first step forward to protecting your information.