Safeguarding employee privacy is a key concern in todayâs digitalÂ economy.
By Marta Chmielowicz
With the digital economy in full swing, HR leaders areÂ embracing technologies that capture employee dataÂ and deliver insights that can be interpreted to betterÂ attract, retain, and grow talent. But the flood of numbersÂ pouring in from talent management platforms across theÂ organization carries risk as well as reward.
âOne major pain point that companies face is the vastÂ amount of information there is to protect,â says MikeÂ Couvillion, chief technology officer at Kazoo. âEven forÂ smaller organizations, each employee has quite a bit ofÂ sensitive information held by the companyâmeaningÂ itâs a pretty big task to securely manage and safeguardÂ it all, especially as organizations grow. Add to that theÂ prevalence of internet-connected devices and the abilityÂ to work remotely from any location, there are moreÂ access points than ever before for intruders to try toÂ breach employee data.â
And the consequences of a data breach can be severe.Â For example, when a 2014 data leak at Sony PicturesÂ Entertainment exposed over 100 terabytes of privateÂ employee informationâincluding social securityÂ numbers, emails, salary data, medical histories,Â birthdates, and home addressesâReuters reports thatÂ the company was forced to pay $8 million in settlements.
How can companies prevent these data breachesÂ and better protect themselves and their employees?Â Kon Leong, CEO and co-founder of ZL Technologies,Â recommends a personalized approach.
âEvery HR department needs to get a read on theÂ companyâs privacy comfort zone,â he explains. âDifferentÂ companies under various regulations and cultures willÂ have different answers, so policies will also vary. ForÂ example, a European companyâs approach will invariablyÂ depart from a U.S. company due to differing notions ofÂ privacy.â
Protecting Employee Data
Employee data is incredibly useful for measuringÂ performance, identifying skill gaps, and recruiting newÂ talent, but balancing access and analysis with dataÂ security can be a major challengeâespecially whenÂ information is dispersed across numerous HR systems.
To keep a firm grasp on sensitive information, employersÂ need to look inwards and address any internal processesÂ that could increase risk. âThe best methods to helpÂ maintain privacy of employee information will notÂ come from protecting the perimeter, but rather fromÂ protecting it from the inside. In other words, althoughÂ building a wall around your data is important, makeÂ sure you know what is actually within those walls asÂ well,â Leong says.
HR professionals should take into consideration theseÂ three best practices:
- Create a culture of safety awareness. Upon hearingÂ the words âdata breach,â many automatically assumeÂ that threats can only come from an external source:Â A hacker finds a crack in the firewall or distributes anÂ email containing malware. But in fact, McAfeeâs GrandÂ Theft Data study reports that 43 percent of seriousÂ data breaches are caused by internal employees andÂ contractorsâand half of those are accidental.
HR has a responsibility to educate employees in orderÂ to protect data from the inside out. âAn integralÂ part of safeguarding employee privacy is to create aÂ culture focused on security and privacy awareness byÂ educating your people on how to safely handle sensitiveÂ information,â says Couvillion. âWhen employees knowÂ how to maintain their own security, theyâre in a betterÂ position to keep company and employee data safe, helpÂ secure the network, and protect their own personalÂ data.â
Leong recommends that HR professionals offerÂ interactive training sessions and gamified cybersecurityÂ lessons to build accountability and teach employeesÂ skills that they can apply at work and at home.Â Educating employees about simple safeguarding tacticsÂ like password security, social engineering hacks, andÂ general file security best practices can make a bigÂ difference, Couvillion says.
- Know where data is stored. From candidate relationshipÂ management and applicant tracking systems toÂ learning platforms, payroll management systems, andÂ recognition software, employee data is often scatteredÂ across the organization.
âOne of the major pain points when it comes to dataÂ security is knowing where your employee data is storedÂ and who has access to it,â says Kim Lessley, director ofÂ solution management at SAP SuccessFactors. âEven if anÂ organization has the good fortune of managing all ofÂ these processes out of a single HR system, chances areÂ they will still have integrations to third-party systems,Â such as external vendors for background checks,Â employment verification, and benefits management.Â Understanding where this data is and how it flows fromÂ one system to another is a major challenge for mostÂ organizations.â
Often, lack of integration across systems requires HRÂ staff to manually gather data from multiple sources andÂ compile it into spreadsheets for analysis, placing theÂ information in an unsecure format and increasing theÂ odds that it will be seen by an unauthorized employee.
To combat this risk, Lessley suggests that HRÂ professionals limit the amount of data that theirÂ organizations store. âA good rule of thumb is toÂ practice data minimizationâonly collect and store theÂ information you absolutely need, purge it when you noÂ longer have a business need for it, and limit access toÂ employee data to only those who really need it for theirÂ positions,â she says.
Additionally, Lessley says that employers should mapÂ out the data that resides in each system, as well as theÂ ways that data flows between platforms. Only then canÂ they maintain oversight of the information and establishÂ processes for granting permissions to access that data.
âEnsuring employee privacy requires an iron grip onÂ data. To achieve this, organizations need to be ableÂ to search the data âuniverseâ to locate, manage, andÂ remediate information across various data silos,â LeongÂ agrees.
- Maintain proper authorization practices. AnotherÂ challenge of data security is managing authorizationsÂ and keeping them up-to-date as systems change andÂ employees move around the organization. LessleyÂ recommends that organizations establish a clear processÂ for granting data authorizations and review it on aÂ regular basis.
âAn organization may start out with an HR departmentÂ of two people who perform all HR tasks and thereforeÂ need to be able to access all employee data,â sheÂ explains. âOver time, the company grows and theÂ department expands to six people specializing inÂ different areas of HR. Do all HR employees need to haveÂ access to all employee data, or can you segment and limitÂ what sensitive data certain roles can access?â
Couvillion says that employers can add an extra level ofÂ security by storing their private and confidential dataÂ on secure, protected networks. âFirewalls, two-step orÂ biometric authentication methods, encrypted data, andÂ other new technologies should be leveraged to protectÂ and maintain the privacy of employees,â he says.
Data Breach Procedures
No matter how diligent an organization is about itsÂ privacy protection policies, data breaches can happenâand HR leaders need to know how to respond.Â âThe most important thing an HR professional can doÂ is to act quickly in the event of a data breach,â saysÂ Couvillion. âKnowing what sensitive employee dataÂ and information the organization holdsâand whereÂ itâs being keptâis key to this quick response, as isÂ working closely with IT, compliance, finance, and otherÂ departments throughout the organization to get to aÂ solution quickly.â
Lessley suggests that organizations set up a breachÂ response team beforehand that is trained to respondÂ quickly in the event of a hack. This team shouldÂ include a member of the senior leadership team, an HRÂ professional, a legal representative, and a marketing orÂ public relations professional to demonstrate that theÂ company is taking the threat seriously and ensure thatÂ it is prepared to answer employee questions and keepÂ messaging consistent.
She also recommends that organizations take theÂ following preemptive steps to prepare for the worst:
- Create a plan documenting how HR will work with ITÂ to identify impacted data, notify employees of a breach,Â and correct any issues.
- Determine what information HR will need to collectÂ and communicate in the event of a breach. This canÂ include the time and length of the data breach, theÂ cause, the type of data that was compromised, impactedÂ employees, and next steps.
- Prepare messaging templates, FAQs, and plans for liveÂ Q&A sessions that the breach response team can consultÂ in the event of a breach.