8 Ways to Maintain Data Security While Preserving Employees' Privacy
Recent data privacy regulations such as the California Privacy Rights Act (CPRA), General Data Protection Regulation (GDPR), and Brazil’s Data Protection Law (LGPD) all regard employees’ personal data as highly-sensitive. However, organizations are ultimately required to collect and store employees’ personal data in order to provide them with payroll services, benefits, retirement plans, and career advancement opportunities.
How can your organization balance data security requirements with employees’ personal privacy needs? Here are eight actions you need to take now:
#1: Evaluate Employees’ Data Privacy across the Entire Employment Lifecycle
A tremendous amount of private employee data is collected during the onboarding, employment, and offboarding phases of HR administration, and all of that data needs to be protected. Many organizations focus their efforts on just the “working” phase since they know that mishandled employee data can result in lower employee morale and productivity issues. Published reports indicate that 16% of respondents have even resigned from their organizations as a result of a data breach.
However, protecting data only during the employment phase isn’t sufficient: You need to protect data from the job applicant’s first interaction with you and throughout the employment lifecycle to the administration of retirement benefits.
#2: Minimize the Scope of Data That’s Collected in the First Place
Many companies find it daunting when they realize that they need to protect information over such a long time. One of the best ways to combat that fear is by limiting the amount of information that your team collects in the first place. A simple example is that you can ask job applicants to provide their emergency contact(s)- which could unintentionally reveal their living situations and/or family members’ details- only after a formal job offer is made.
#3: Focus on Data Retention
By its very nature, human resources data should be made available to organizational users on a “Business Need to Know” basis. Since direct supervisors usually have more comprehensive access to an individual employee’s private details (such as their payroll information and emergency contacts), it is extremely important to keep your organizational chart’s reporting relationships up-to-date.
Additional best practices for employee data retention include the following:
- Follow a retention schedule for archival and deletion of data, and make that schedule available to job applicants and employees.
- Never retain data that your team doesn’t actually require. Doing so can help to lower your data storage costs, improve users’ productivity, and even discourage legal challenges down the road.
- Involve your company’s legal team to confirm that your human resources team isn’t requesting or stockpiling superfluous information about job applicants and employees.
#4: Conduct Privacy Impact Assessments (PIAs)
According to the United States Federal Trade Commission (FTC), a privacy impact assessment is defined as follows:
“Privacy Impact Assessment, or PIA, is an analysis of how personally identifiable information is collected, used, shared, and maintained.”
After you’ve mapped your employees’ data, your goal will be to identify Personally Identifiable Information (PII) that your company currently collects, assess overall risk, and put a policy in place to improve data collection. This is an important step because PII is extremely attractive to potential cyber-attackers and critical to your company’s users and consumers. You can learn more about best practices to protect PII in Egnyte’s PII protection guide.
#5: Map Your Data
By performing data mapping, you will be able to inventory personal data that’s stored in your business systems. A data map is an essential component of nearly every data privacy law, and it’s anticipated to be a key requirement for future legislation. Data mapping is a foundational step for the fulfillment of all legal requirements under privacy laws, such as:
- Responding to a Data Subject Access Request (DSAR).
- Conducting Privacy Impact Assessments (PIAs), as referred to in the previous section.
- Maintaining records of data processing activities (RoPAs).
Note that data maps can also be referred to as data inventories, an Article 30 assessment (under GDPR), or as PII disclosure (under the CCPA). However, the concept is the same; you need a thorough record of the data processing that your company conducts.
#6: Limit Cross-Border Data Transfers
Similar to data mapping requirements, data privacy regulations frequently limit cross-border transfers of data. In particular, the European GDPR imposes strict data transfer requirements. This is an important requirement to consider when safeguarding employees’ data because a data breach involving offshored employee data is virtually guaranteed to garner press coverage.
#7 Assess Data Privacy Protection of Third-Party Providers
The business reality is that third-party providers are an integral part of today’s human resources administration ecosystem. So, you need to assess the overall security of your company’s digital supply chain. In the past few years, organizations have learned that they are only protected as well as their supply chains. Quanta Computer Inc., a key Apple supplier, is just one example.
You need to assess how well third-party vendors manage your consumers’ information and have the vendors attest that they have the systems and controls in place to protect your- and your employees’- data and business interests. As such, all business contracts with key suppliers should incorporate provisions for employee data protection.
#8: Track and Refine Your Progress
Remember to track your progress and refine your processes for every new regulation that goes into effect. Err on the side of over-communication if a data breach impacts your (or a third-party vendor’s) infrastructure and/or if major changes are made to your data privacy program. Don’t forget to provide employees with a forum where they can raise potential concerns.
Learn More
In future blogs about this topic, we will focus on how you can use Egnyte to accomplish many of the goals outlined above. When the blogs are published, we’ll link them here for your convenience.