When people discuss data breaches, it’s often around the exposure of customer details and credit card information. While ensuring that your customer data is safe is clearly important, it’s essential that companies demonstrate equal care when dealing with employee data.
The past year has seen a flurry of security breaches, and subsequent media and public scrutiny. In July the US government was embroiled in the debate when its database was breached, leading to the theft of data belonging to at least 21.5 million people including millions of government employees. While this example is extreme, HR teams in all organisations handle sensitive data every day, and would feel any breach of this type just as acutely. Hackers stealing employee benefits records for example, could have access to staff home addresses, information on their dependents, their medical history, social security numbers, salaries and bank details. Imagine if that happened to your employer. How violated would you feel knowing that a criminal held that many of your personal details?
Research into local government data handling revealed at least 401 instances of data loss or theft, and 628 instances of incorrect or inappropriate data sharing via emails, letters and faxes between April 2011 and 2014. Despite incidents like this highlighting the importance of data protection, many organisations still have no set processes in place around how they handle employee data. With the EU preparing to reform its data protection legislation later this year, it is of critical importance that HR teams review these processes to avoid financial and legal ramifications.
Indeed, the weight the EU places on non-compliance is evident in the fines proposed, which could see companies be fined the greater of €100m or 5% of global revenue.
With the Council of the EU recently reaching what it described as “a general approach” on the new Data Protection Regulation after a standstill of over a year, companies are fast running out of time to reform their data protection processes. According to the Council of the EU, the proposed regulation will “enhance the level of personal data protection for individuals” and “increase business opportunities in the Digital Single Market”. It aims both to harmonise the current laws in place across the EU member states and to provide a higher common standard of data protection.
While some HR teams will welcome clearer regulation, there are certain aspects of the proposal that are likely to make them nervous. For example, in the UK, there is currently no legal requirement for companies to self-report on data breaches, meaning that personal data could have already been stolen and the victim may not even know. This will change under the new regulation and it will introduce a general data breach reporting obligation.
A large part of the problem lies in a lack of education. Outside of the IT department, employees simply aren’t familiar with best practice for data protection. Many are completely unaware of the need to encrypt data prior to transfer. We’re still hearing of excel documents and emails being used to transfer confidential financial employee data to insurers and pension providers. Even large multinationals, with well-established data protection processes, are failing to replicate best practice in smaller head count locations. This simply is not good enough. Data protection processes must be implemented universally. It’s a question of upskilling all employees, not just those who handle the greatest amount of data. Companies have a duty to their employees which includes protecting their sensitive data, no matter where they’re based.
For many companies, compliance will mean a complete overhaul of their data protection procedures before the regulation is implemented. Even companies with fewer than 250 members of staff may need to consider hiring dedicated information security officers to take on the responsibility of protecting employee data.
The proposed regulation will also mean significant changes to HR departments across the UK. Given that the data they handle is so sensitive, all HR employees will need to upskill on data security and fast. In addition, the changes are likely to result in HR departments being forced to rethink their recruitment strategies, attracting hires that have data protection experience. We are already seeing HR recruitment criteria changing in the US, and the EU certainly won’t be far behind.
Nevertheless, compliance will mean more than reviewing internal processes. Under the new regulations, any company or individual that processes data that can be used to identify an individual will also be held responsible for its protection, including third parties such as cloud providers. Third parties will therefore need to be extra vigilant, but data owners will ultimately be held responsible for properly vetting all organisations that handle their data.
HR teams and others who handle data must start to think about how they can protect themselves, and using an employee benefits portal to automate data processes is one way to do this. There is a wealth of information that companies need to hold to determine benefit eligibility, including medical history and number of dependants. Using a benefits platform to remove the risk of manual error and add a data security wrapper around the data can help organisations remain compliant. It also allows for data to pass between an organisation and a third party securely ensures that the technology environment is globally consistent.
The “trilogue”, the European Commission, the European Parliament and the Council of the European Union, are next scheduled to meet later this year. Although the changes might initially seem a burden for HR departments, compliance means that employees will be far more in control of their data and that the chances of data loss will be greatly reduced. The most important piece of advice I’d give HR teams is act now – and be prepared.