In a recent survey, it was found that “a third of Human Resources teams admit to breaching the General Data Protection Regulation – and potentially face sanctions for non-compliance – by not deleting personal data about employees, leavers, and candidates after data-retention periods expire” (CIPHR, 2018). The numbers become even more curious when considering that 87% of respondents said they are confident they are “fully compliant” with the regulation, that 83% of the respondents have set retention periods for said data, and yet only 69% said they had put these policies into practice.
Regardless of the reasons behind such discrepancies, HR teams now find themselves in unique and compromised situations amidst this new age of data privacy. With many compliance programs driven by legal or compliance organizations – often with a data-centric or technical approach that HR professionals may not be familiar with – HR leaders must ask the right questions to ensure their operations conform to new data protection rules.
How should we enforce our data retention policies?
HR organizations – especially those with operations in multiple regions, states, or countries – often have varying retention requirements due to applicable employment or labor laws. When combined with an organization’s need to retain employee data for business reasons, there is much legal and technical complexity around how much HR data should be kept and for how long. Building ongoing processes to purge data that has reached the end of its retention period can reduce the risk of keeping data unlawfully.
TIP: Centralize your data as much as possible, and leverage technological retention settings; many modern systems can be configured to automatically purge old data once the retention period is reached (ask your IT department). At a minimum, organize archived data into chronological folders and purge their contents every few months.
Are we keeping too much employee data?
Data analytics and business intelligence capabilities can give HR leaders much insight into the movement, productivity, and engagement of people. Organizations often retain full sets of employee records, citing legitimate business interest under GDPR, so they can analyze organizational changes over time. However, due to the sensitivity of HR data, keeping these records for longer than legally required can increase the risk of exposure from cyberattacks and data breaches. HR organizations must assess what data provides tangible insights and employ techniques such as de-identification or anonymization to protect the identity of candidates and current or previous employees. For example, when storing salary data for future analysis, remove names and other identifiable fields from the data sets if only salary and role information are needed.
Are we properly securing our data, and how secure are our vendors?
It seems almost every year, news about a lost or stolen USB key or laptop containing un-encrypted employee data or customer data results in an embarrassing and damaging data breach for an organization. Despite many organizations investing heavily in technological security, such as internet firewalls and anti-virus applications, the majority of data breaches are caused by human error. To minimize the risk of employee mistakes, HR organizations should take proactive steps to secure sensitive HR data in their possession. Taking steps to strengthen your data security can show your employees you care about the safety of their private information.
Some key considerations include (but are not limited to):
- Minimize your data footprint on removable and mobile devices; store sensitive data in centralized locations with enhanced security instead.
- Encrypt your removable and mobile devices (ask your IT department for supported encryption tools).
- When sending sensitive data over email, ensure the email or the data is encrypted; 37% of data breaches were caused by employees sending sensitive data to the wrong recipient” (verdict.co.uk).
In addition to securing your internal processes, HR organizations that outsource standard HR applications or specific HR functions should also ensure their vendors are protecting HR data appropriately. This is especially important under regulations like GDPR, where data controllers (you) are responsible for data protection of personal data processed by data processors (your vendors); any breach of personal data processed by vendors on your behalf is your responsibility. To minimize exposure in this area:
- Ensure your contract with vendors includes data protection language (known as standard contractual clauses) to limit what they are allowed to do with your data and the level of data protection that must be in place. For larger vendors, they will likely have these in their terms of use or compliance center. Refer to your legal counsel to validate the right agreements are in place.
- For larger operations, ensure there is an audit process in place and periodically assess the data protection capabilities of your key vendors.
Many organizations struggled with how quickly GDPR was introduced and came into regulatory effect and took an out-of-the-box approach to achieving their state of compliance. Applying the context of HR into these requirements and modernizing your operations can simplify how your HR professionals can support these requirements outside of your organization’s compliance program, and bring a human touch to GDPR.
By Aaron Shum