How can legacy HCM system stop GDPR compliance?

← Data Archiving and GDPR compliance How to break up with your HR vendor →

If you’ve ever been involved in HCM system migration you know what a massive effort that is to move between HCM systems. You also know that acquiring companies means usually there will be another HCM system or at a minimum payroll that needs to be integrated. If you’ve upgrade to the cloud what did you do with your old system? Did you get a quitter file? Keep the old database? Maybe keep the old system running? All of these have dramatic impacts on GDPR compliance because they are rife with personal identifying information and lots of things people really freak out about relating to privacy.

Ye Old HCM System

You have that old legacy system lying around from when you migrated or acquired that company way back when. Is it GDPR compliant? Probably not. Old systems may not be protected by SSL/TLS so encryption in transit is not possible. More than likely encryption at rest is definitely not supported in your old system or even 2 factor authentication (2FA). These are all disqualifying things for GDPR compliance. Since it’s an old system it’s highly unlikely they’ll ever get those new features needed for compliance. The old strategy of keeping old software around to satisfy legal requirements of keeping employee data for the typical 7 or even 30 years in some cases will not work for these types of new regulations.

SAAS doesn’t fix it

Maybe you are already migrated to one of the SAAS HCM platforms of the future. It’s all better now because we’re in the cloud. But what happens when you decide to migrate away from that SAAS provider? SAAS isn’t new. From the beginning of the web the “cloud” has always been there so this isn’t a future idea that you want to upgrade your service to a new provider. It happens all the time.

Moving between SAAS providers is more complex because some of the short cuts you took in the past with historical data governance aren’t applicable. You don’t have a legacy system that you can just keep the data in until it’s thrown out. If you’re lucky enough to get your data from a SAAS provider keeping it in a zip file on a windows share is not allowed by GDPR or any other regulations. So what are going to do with all that old HR data now? Loading it into your cloud provider means a lot of work, and clutter you don’t want in that system. Starting a huge multi-man-year project to implement a solution is a waste of resources.

What do you do?

You need somewhere else that is already GDPR compliant. Somewhere you can easily access the data, answer subpoenas for litigation in a compliant manner, and sunset that data when it expires or you have a “right to be forgotten” request. Fuse archive solutions offers this option so you can quickly move the data into and be compliant out of the box. Let us help you nail your compliance problem today.