Today in the era of Digital Transformation, security is considered to be the topmost aspect for any organization, irrespective of industry, service line, or any business area. Dealing with vulnerabilities, attacks, and hacking is, of course, among the main concerns in cyber security today. But we should also give equal focus to data protection and security. Well, it is not at all a small area, and neither it is simple to understand. Data security changes with laws, rules, and other criteria.
Human Resource plays a critical role in helping manage and train this fast-changing workforce, especially when it comes to data security. Whether employees, professionals, or part-time workers, are in their first job or have just changed jobs, it is important that everyone has a basic knowledge of standards of privacy and security and is also responsible for keeping the organization’s data secure.
Proper risk assessment, communication with people on regular basis, and encouraging each and everyone’s responsibility towards data security does so as well. Data security is not only providing training about the best practices; it’s also important to understand why employees make the decisions they do. And it’s HR who oversees employee training, onboarding, cultivating a positive corporate culture, and redressing employee conduct. And these are the heart of good data security according to the Law Insider.
Data protection means that those who decide how and why personal data are processed must comply with data protection principles. Those for whom data is stored and handled also have rights.
According to CIPD, data protection is a topical and extremely complex issue which all employers need to pay careful attention to. All organizations must take steps to handle, process, and store data responsibly and keep up to date with legal developments in this area. Data protection issues can have implications for most HR activities, such as the handling of recruitment, employer references, record-keeping, and performance monitoring.
Personal data means data which relate to an identifiable living individual and include any expression of opinion about that individual. So personnel records, including sickness absence, performance appraisals, recruitment notes, etc., will be personal data. The DPA (Data Protection Act) also gives extra protection to certain types of personal data, called sensitive personal data. This includes information about the subject’s race, ethnicity, politics, religion, trade union status, health, sex life, or criminal record. And such, data should be treated with particular care.
Processing information or data means obtaining, recording or holding it, or carrying out any operation on it, including its retrieval, consultation, or use.
The DPA has eight principles, which specify that data must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant, and not excessive
- Not kept for longer than is necessary
- Processed in line with an individual’s rights
- Not transferred to countries outside the EEA (European Economic Area) without adequate protection.
It’s against the law if a data controller, for example, an employer, doesn’t follow these principles, and substantial penalties may be imposed. The Information Commissioner can issue undertakings, enforcement notices, and for serious breaches, high civil monetary penalties are expected for a breach of one or more of the principles. It’s important that employers understand their responsibilities and potential liabilities under data protection law.
HR records include a wide range of data relating to individuals working in an organization: for example, pay or absence levels, hours worked, and trade union agreements. This information may be stored in a variety of media, such as paper files and, increasingly, on computer databases. It is important for all organizations to maintain effective systems for storing HR data, both to ensure compliance with all relevant legislation (for example, in respect of the minimum wage or working time regulations) as well to support sound personnel administration and broader HR strategy.
At the end of 2015, the EU institutions agreed on the text of the EU’s successor privacy legislation: the GDPR (General Data Protection Regulation). The General Data Protection Regulation is a regulation by which the European Commission intends to strengthen and unify data protection for individuals within the EU. It also addresses export of personal data outside the EU.
One way to describe the GDPR is that it simply legislates a lot of common sense data security ideas, especially from the Privacy by Design school of thought: minimize collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle. Below is the simple diagram to describe and help you understand the GDPR.
If the data breach relates to HR-related data, the employer must notify the affected employees without undue delay if the breach is likely to result in a high risk to his/her rights and freedoms. To avoid notification fatigue, the GDPR contains a few exceptions to this rule (e.g. if the data was encrypted).
For HR professionals, it will therefore remain important to continue to follow national law developments in the field of privacy in the workplace, in addition to the more generic GDPR.
The GDPR will not only apply to employers processing the personal data of their employees, but also to HR service providers that process such data on behalf of the employer (“data processors”). This is an important change compared to the current legal framework, where HR service providers only have a contractual obligation vis-à-vis the employer, but are not directly accountable for complying with the data protection regulations.
It is always a wise choice to look over the data protection issues from the beginning and plan accordingly. So what are the top data protection issues for HR professionals?
- HRIS Platforms Roll-Outs
Employers must abide by EU data protection rules when rolling out a global HR information system involving the processing of EU employee data outside of Europe.
- Data Breach Reaction
EU Data Protection Rules impose specific requirements for storing, processing, and transferring personal data about EU employees – employer’s liability exposure is increased by failure to prepare for data breach incidents.
- Bring Your Own Device
EU Data Protection Rules impose obligations on data controllers (employers) to ensure the security of personal data they hold about their employees.
User devices can easily pass malware and viruses onto company platforms and impact security levels. Combining personal data of employees with company data may complicate compliance with EU data protection rules.
- New EU Data Protection Regulation
A new and highly controversial Regulation on data protection is being announced by the EU institutions and soon will become directly enforceable law in all EU Member States and also affect non-EU countries.
- Data Access Requests
EU data protection rules give employees the right to access personal data about them that is held by their employer, and also to correct inaccurate information or request its deletion.
- Monitoring and Cross-Border Investigations
EU rules limit the ability of EU legal entities to process personal data within Europe, and to transfer it to foreign affiliates and third parties, including non-EU governmental authorities.
It’s important that employers understand their responsibilities and potential liabilities under data protection law. And employers should therefore develop policies in this area that take a compliant, but balanced, approach and ensure that employees are aware of and understand their rights and obligations under data protection law.
We must prepare to take the steps necessary for any compliance related to data protection and security. It’s our responsibility now to deal with it.
Soumyasanto Sen is a Blogger, Speaker, and Evangelist in HRTech who is engaging with companies, startups, & other entrepreneurs in driving Transformation.
Professional Consultant/Manager/Advisor/Investor in HR Tech, focusing on Strategies, Mobility, Cloud, Analytics, UX, Security/ Data Protection, Developments, and Integration in HR Technology & Digital HR Transformation.