It’s 7 am in the morning in New York.
Megan, head of payroll for a US based global company gets a rude awakening from a new employee, Harry, calling long distance from the UK.
He didn’t get paid and the local finance team is on annual leave.
Harry is in an extreme panic—a single father of 3 kids in London, he has a huge financial responsibility and lives paycheck to paycheck.
Meanwhile in New York, Megan, a mother herself, rushes to help her colleague before she needs to prepare her kids for school. In between making breakfast, she quickly logs into the UK payroll system and sees that Harry’s bank information and address is missing.
Harry sends Megan his bank account information and address. Megan updates the system and resubmits the pay run for Harry, who then gets his pay. Megan feels like super woman for multitasking and drops her kids off at school right on time.
Little did she know this benevolent act just put her company at risk of fines worth over a million dollars for violating the new GDPR guidelines…
GDPR: What You Need to Know
Europe’s new General Data Protection Regulation (GDPR) is rolling out with fines up to €20 million or 4% of global revenue for organisations who break the rules. When the stakes are this high there is no room for error.
Despite this, up to 61% of organisations have yet to begin work on making their processes and systems GDPR compliant.
Remember that GDPR applies to any organisation that “processes” personal information from people residing in Europe. The definition of “processing” includes storing and transferring data, and even simply viewing data. Even a US based company with employees in Europe, storing EU employee data in a US HR system is subject to GDPR guidelines. If the same organisation stores EU employee data in the EU, but views it from the US, that viewing constitutes the transfer of personal information across borders and makes the organisation globally subject to GDPR.
As we just read, Megan wanted to do the right thing to help her UK colleague, but she viewed UK employee personal data from the US and moved that unencrypted personal data across internal borders breaking GDPR twice.
The GDPR has five general requirements around security. Here is a summary of what you need to know, questions you need to ask and plans you need to make from a Human Resources perspective:
1. Implement a level of security appropriate to your risk profile
In order to gauge your level of risk, you must first identify where employee data is stored. For most organisations, it’s not all in one place. From general HR systems to third party vendors and regional systems used by satellite offices, the more variability in the systems you use the greater the risk profile of your organisation.
Once you’ve identified where the data resides, you can quantify the severity of the risks you are exposed to. Remember, the more extensive or sensitive your data (e.g., fingerprints, trade trade union memberships, health data) the higher the risk profile.
If the personal data you hold can be used against the individual in some way (identify theft, disclosing a personal home address or private phone number etc.) it is considered a significant risk.
2. Pseudonymize and encrypt personal data
Of course, HR data should be encrypted and stored in a safe and secure system, but it’s never that simple. Depending on the viewers access rights, some data should be visible and others not.
Consider:
- Are you encrypting at rest and in transit?
- Do all systems encrypt data the same way with the same level of protection?
- Will your access rights and processes stop cross border transfer of sensitive data?
- Are you protecting any paper-based documents from unauthorized access and viewing?
3. Ensure that personal data is secure and available
Personal data must remain confidential and only be changed by authorized people and processes. It must also be available to the data subject (the employee) at any time and stored/processed in resilient systems.
Ask yourself:
- What controls are in place to ensure the personal data remains “confidential”?
- Can we guarantee that only authorized people can access or change the data?
- Is there a permanent, secure record of who has accessed and who has changed data?
- Are the systems we use reliable enough and accessible 24/7 so personal data is accessible when needed?
4. Ensure that systems and data can be restored quickly
GDPR requires that access to data be restored quickly. “Quickly” is open for interpretation, but it needs to be fast enough so that a data subject (the employee) may access their data when they reasonably want to—it is their data after all.
5. Prove that you regularly test, assess, and evaluate the effectiveness of your security
GDPR requires organisations to prove data protections are in place and operating effectively.
Here are a few ways to prove it:
- ISO 27001 certification: This links directly to the data protection requirements of GDPR as it requires companies to manage risk, use risk analysis to drive the implementation and measurement of effectiveness of appropriate security controls.
- Sarbanes-Oxley, SOC 1 and SOC 2 audits. They demonstrate that you have security controls in place.
- Internal IT audit team: Keeps you up to date by performing routine audits of security and privacy controls, routine vulnerability scans and network penetration tests.
Leverage a Digital Workforce Management System to Process Your Data
A digital workforce management solution is a key platform that can help simplify and accelerate your GDPR compliance effort.
For example, a new employee would get a notification when his data is transferred to another country. As a result, our friend Megan would have not comprised her company by violating the GDPR without the proper workforce management solution.
Want to learn more? Contact us to discuss how a workforce management solution can help you with GDPR.