Published: Jun 29, 2020Time to read: 7mins Category: Insights
Rapid Pace of Change: 3 Ways HR Teams Can Prioritize Data Security
With the rapid pace of change in our workforces and the growing number of different technologies necessary for HR to manage domestic and global teams, data protection and security should be of paramount importance. However, recent studies show that HR professionals are struggling when it comes to prioritizing data security. In this article, Derrick Ware, VP of Software Engineering and Technology at PeopleFluent, offers insights on how to understand and comply with GDPR regulations and how your HR teams can reduce the risk for security breaches by collaborating with security professionals.
Based on a 2019 survey from GetApp, 34% of respondents said their business was operating without an employee data protection policy in place. According to the poll, 55% of HR professionals don't consider data security a serious issue. With our workplaces becoming more remote and globally dispersed, it’s more important than ever for HR to prioritize data protection and security.
To reduce the risk for security breaches, HR teams must work together with IT and/or security teams to safeguard data and develop a comprehensive data protection policy. It all begins with prioritizing data security and solidifying a culture of responsibility across their distributed organizations. Furthermore, if the process is done strategically and aligned with HR, employees can also be trained to identify and combat security risks.
So here are three practical ways HR professionals can prioritize data security.
1. Understand Your Role per GDPR Regulations
The GetApp survey sheds light on a number of issues surrounding data protection within organizations. For instance, only 19% of businesses revise their data security policy quarterly. Furthermore, only 21% conduct quarterly training sessions and the same amount said they’re aware of the General Data Protection Regulation (GDPR).
There are numerous reasons to familiarize yourself with GDPR, including understanding what type of data you’re in control of and how you plan to manage it safely and securely. Depending on the way your company uses data, GDPR guidelines consider your organization as either data controllers or data processors.
Data controllers are responsible for determining the purpose for how and why personal data is used by an organization. Data controllers have the most responsibility when it comes to protecting a data subject’s privacy and rights. In other words, they must prioritize setting the procedures and purposes for how personal data will be used.
For example, ACME Company wants to know how well certain pages of their website are performing. ACME Company will collect data, such as which pages the visitor navigated to and how long they stayed on each page. This data will be compiled to audit the company’s existing website performance and eventually launch an advertising campaign. As a data controller, ACME Company must decide and outline how all of this data will be used and processed, as well as what purpose it’s being used for.
Data processors are individuals or businesses that process personal data on behalf of a data controller, with the exception of a data controller’s own employees. A data processor can be a third-party company contracted by the data controller whose purpose is to process personal data. Processors are not owners of such data nor do they have control over how they use it. They must adhere to the instructions given to them by the data controller and cannot change how or why the personal data is used.
Using the example above, ACME Company is collecting their visitor data via Google Analytics. This will allow the company to choose where to focus their advertising efforts and to beef up content on pages which don’t perform well. In order for Google Analytics to provide insights and make recommendations, ACME Company must share data with them so they can process it per the instructions from the data controller (ACME Company).
If You’re a Data Controller and Data Processor
Because data controllers and data processors have different responsibilities, it’s vital for organizations to understand what role they play. Further muddying the waters is the fact that some companies may fall under the role of both data controller and processor. If your organization provides services to controllers, it’s likely that you’re a controller for some personal data and also a processor for separate personal data.
The key takeaway for organizations who are both processors and controllers is that you cannot process the same personal data for a single purpose. Your systems and processes must distinguish between the data you are processing as a controller and the data you’re processing on behalf of another controller.
Also read: 'The Power of Automation in Compensation Management and Talent Acquisition'
2. Know What’s at Stake for Your Organization
Nowadays, the biggest thing to remember is the scale and speed at which your organization’s data can be compromised. Twenty years ago, one individual might have been able to access a “back door” into a modem and access minimal amounts of data or information. Yet, if your organization had a capable security team, these breaches were avoided or caught in time. Today, there’s a slew of sophisticated individuals who have the knowledge and ability to pull off a massive data grab. What’s more, these individuals are typically part of a larger crime syndicate interested in making millions off this compromised data.
Because databases can be quickly accessed by those with nefarious intentions, it’s even more important for organizations to know what’s at stake. Knowing what technology you have and how to properly secure it can mean the difference between your organization’s private data being protected and becoming the next company whose data is breached.
While it’s easy to understand why organizations choose to utilize “out-of-the-box” solutions, like Amazon Web Services (AWS) for a quick and easy web-hosting environment, these solutions should be properly and thoroughly configured by a security professional. As technology, especially AI, continues to evolve, our security processes must evolve with it. This ensures your organization is not left vulnerable to data breaches, which can be costly and ruin your public image or reputation.
You might also like: 'The Top 4 Benefits of Using Compensation Management Software'
3. Due Diligence Requirements
From an HR perspective, there are certain measures your teams can take to ensure your data is secure. Considering the risks for security breaches and data protection, HR professionals and organizations should focus on finding resources to learn more about data protection and data security. A good starting point is to complete a business impact analysis. This can help HR professionals know what processes and systems they have, as well as what vulnerabilities exist and where.
A business impact analysis is an intricate process and should be completed by HR teams and in collaboration with the appropriate security experts. Security professionals will start by asking HR professionals a pre-configured set of questions prior to conducting an analysis. To ensure you’re prepared to answer these questions, the following are a few example questions a security professional may ask when conducting an impact analysis:
- What is the valuable data your company is tasked with securing?
- How is the data categorized?
- Where is the data stored and how is it managed?
- Who has access to this data and why?
- What is the impact on our organization if this data is breached?
Once the business impact analysis is completed, HR teams can work with security professionals to ensure a plan is in place. This plan will allow your organization to implement the proper safeguards and adequately control and secure the data, which is a requirement per GDPR. Furthermore, there should be a strategy in place for reviewing such controls and processes. You should review these plans semi-annually or as technologies change and evolve.
Related reading: 'Single-Tenant LMS vs Multi-Tenant LMS: A Question of Security'