The Strengthening Of Data Protection And Cyber Security Regulations: What Does It Mean For HR?

The regulatory regime for data protection and cyber security is fast evolving. The bar is being raised and it is hard to keep up with the new regulations, both local and international.

In this article we look at the effect this has on how organisations manage their employee data, where the most common risks lie, and some PRACTICAL suggestions on how organisations can improve their overall data protection posture.

HOW FAST IS THE REGULATORY ENVIRONMENT EVOLVING?

Very fast and the changes are only moving in one direction, namely more stringent requirements, improved enforcement mechanisms, and tougher financial and criminal penalties.

Here are just a few examples:

  • The European Union’s NIS2 directive (Network Information Security 2), with a national adoption deadline of 17th October 2023 for all EU member states, impacts critical sectors like energy, transportation, and healthcare. It mandates stricter cybersecurity measures for these industries, improved incident reporting, and greater cross-border collaboration to bolster the resilience of Europe’s digital infrastructure against cyber threats.
  • Switzerland’s new Federal Act on Data Protection (nFADP), which came into force on 1st September 2023, heighten employer obligations, demanding stricter data handling, consent, and transparency to safeguard employee privacy.
  • South Korea’s amendment to the Personal Information Protection Act (PIPA) expands data protection obligations for employers, requiring stricter consent and security measures. It strengthens individuals’ privacy rights and imposes harsher penalties for non-compliance, prompting employers to enhance their data handling practices to safeguard employee information.
  • Changes to the California Privacy Rights Act (CPRA), effective January 1, 2023, introduced enhanced data protection requirements on employers. It grants employees more control over their personal data, requiring transparency in data handling, and imposes stricter regulations on businesses.

WHAT DOES THIS MEAN FOR HR?

HR handles some of the most sensitive data within an organisation, including employees’ personal data, family data, health data (e.g. medical certificates), compensation data, bank account details, tax data, etc. Historically HR teams have relied on their IT departments to keep this data secure within the organisation’s IT environment. HR then simply needs to follow common sense day-to-day working practices to avoid personal data being seen by the wrong person, e.g. save sensitive documents on a secure drive, don’t leave documents lying around the office, and be very careful to enter the right email address when emailing a document.

In today’s world, this is far from an adequate approach. HR teams need to go much further to ensure that employee data is secure and that they can demonstrate that this is the case.

WHAT ARE THE MOST COMMON RISKS?

There are five main risk areas:

  1. Storage of employee data
  2. Access to employee data
  3. Supply chain management (of outsourced activities)
  4. Transmission of data
  5. Job applicants

Let’s look briefly at each risk and what a robust approach looks like.

Storage of employee data

Employee data should be stored in systems that are following industry best security practices and are therefore more resilient to data-breaches and data-leaks. For example, software that stores employee data should be designed to be secure (e.g. meets OWASP’s architectural standards), the hardware that supports the systems should be secure, and independent penetration testing should performed regularly. The systems storing the employee data should be reliable, durable, regularly backed up and have fall-back procedures in case of disasters.

Access to employee data

Access to employee data should be limited to individuals that need that data to perform their job or the service being provided. This means there needs to be role-based access to employee data and the configuration of systems must enforce that the access cannot be compromised. Two factor or multi-factor authentication should be used for accessing systems that store employee data. 

Supply chain management

Most organisations externalise some aspects of their people management, for example payroll, work permits, pre-employment background checks, and benefits administration. Organisations need to select vendors that have robust data protection and IT security practices and effective people management practices (including training of their own employees). It is also important to ensure that end-to-end processes are secure, such as who has access to personal data and how it is transferred for processing.

Transmission of data

Employee data needs to be shared – both internally and externally – using secure platforms. Sending personal data by email and in Excel files is very risky. It is easy to type in the wrong email address. Emails can be easily forwarded to a person that should not see the data. Password protected files are very easy to crack. Such files often end up being saved on a person’s personal drive on their laptop. The information is then often less secure and very difficult to control (e.g. to permanently delete or anonymise).

Job applicants

Job applicants should consent to their data being processed and stored. In many countries job applicants also have the legal right to request the organisation that has their job application to delete and anonymise all personal data stored on them or any combination of data that would make them identifiable. They may also be entitled to request the organisation to make changes to their personal data in an old job application. As such recruitment systems need to be able to manage these requirements.

HOW CAN WE ASSESS WHETHER OUR ORGANISATION IN COMPLIANT WITH DATA PROTECTION AND CYBER SECURITY REGULATIONS?

Whilst the requirements vary by jurisdiction, in most developed markets there are many commonalities and there has been a lot of international alignment of the rules over the past 5 – 10 years.

If you are unable to answer “yes” to these 4 questions, you are unlikely to be fully compliant with the data protection and cyber security requirements in many countries:

  1. Is employee data stored exclusively in a cyber secure HR system or systems that are backed-up at least weekly, are accessed via a dual authentication mechanism, have role-based access, and are penetration tested at least annually?
  2. Are all exchanges of personal data with third-party vendors managed via a secure platform rather than by email?
  3. Is your payroll managed without any exchanges of employee personal data or remuneration data (internally or externally) by email or Excel?
  4. Are you able to permanently delete, or anonymise, and change job applicants’ personal data?

AN OPPORTUNITY FOR HR DEPARTMENTS

PeopleWeek often talks to HR directors that continuously struggle to have the required budget to implement the systems they need to manage and develop their people, as well as help their HR teams to work more efficiently. Whilst most CEO’s talk the talk saying that “people are their greatest asset”, all too often this does not extend to investing money on systems for employees and managers. However, you can be pretty sure that when the HR director highlights that their current processes – and the systems that underpin them – are not compliant with data protection requirements, the CEO and CFO have a different sense of urgency. It is a shame when this card needs to be played but it is perfectly legitimate when, indeed, the organisation is non-compliant with the legal requirements.

PeopleWeek is very happy to talk to you if you have questions on this topic. You may also like to complete our HR Systems Maturity Survey here.