James L. Bindseil, President and CEO of information exchange expert Globalscape, urges HR departments to get to grips with their data responsibilities.
The summer of 2015 was a hot one for the security industry. There were an unusually high number of headline data breaches, from dating giants Ashley Madison and Match.com to Mumsnet. While the causes of these are yet to be fully revealed, it is suspected that some could be the result of malicious or careless insiders. In fact, according to the Ponemon Institute, the most likely threat to data security is not the outsider, but rather potentially ignorant, negligent, incompetent, or malicious corporate insiders. This poses new and unique challenges for HR departments.
The flexible workforce and increased use of mobile and collaborative technology has increased access, but at the same time risk. Data breaches have become almost as much an issue for the Human Resources (HR) department as IT.
All the while, HR departments themselves are collecting and storing more and more sensitive data, due to the nature of their roles. Most enterprises have digital staff records or are investing in different recruitment analytics tools, introducing more layers of complexity and requiring compliance with new data protection regulations. This transition to electronic record keeping opens an organisation up to additional security vulnerabilities. When piled on to the other sensitive areas of HR, these security concerns cause extra stress, and more procedures and policies to manage.
This new environment has meant HR needs to better understand IT security, and become aligned with strategies to maintain compliance and the transparency of information, and to meet challenges caused by the new mobile environment.
Compliance is becoming important to HR departments on two levels: first there is the need to keep personnel data safe, and second, there is an education element that is incredibly important, as staff can inadvertently cause compliance issues. There are a number of regulations that HR departments must follow, including core pieces of legislation such as the UK’s 1998 Data Protection Act. A data breach can ultimately result in significant fines and potentially time-consuming compliance audits.
Traditionally, HR professionals have had to be aware of these laws, but on a macro level. Before the increased use of collaboration and electronic record keeping, data was kept in filing cabinets, and there was simply less of it, so the risk of a breach was significantly minimized. In addition, it was usually the responsibility of legal departments to ensure compliance. However, the growing amount of data in existence means that HR now needs to be aware and compliant with regulations, especially in the handling of data.
The European Union has even called on companies to introduce Data Protection Officers, based across HR and IT departments. Not every organisation needs a designated Data Protection Officer, and often these can be appointed within relevant departments to take responsibility for specific areas. Their growing use and the increasing transparency of information highlights the need for HR departments to take note and protect their data to comply with the law.
At the same time, there is a need for IT education to take place. There are only a handful of organisations that don’t have policies mandating the staff understand or practice safe and compliant methods of transferring sensitive data. Depending on the sort of data you’re handling, different laws may apply, which creates a new level of complexity when inducting staff and delivering training. In most organisations, it is the responsibility of HR departments to deliver training and make sure that the new staff member is aware of company procedures.
While flexible working is a necessary and important step towards faster and more collaborative work dynamics, it does present a number of security challenges. Bring your own device (BYOD), a growing trend, brings some immediate risks as far as HR is concerned. The potential risk associated with BYOD includes staff access to sensitive data on their own mobile devices. This also means that it is critical to guarantee the security of employee-owned devices. In most organisations, this is achieved through a BYOD policy or enterprise mobile management software, specifying the exact solutions that must be used to distribute files or for mobile working.
Policies must be enforced and staff must be fully aware of correct procedures. Organisations need to make sure their staff is completely on board, and fully educated in how to share files safely and follow compliance procedures. IT security needs to become a key part of staff training and induction procedures, both of which fall directly under the responsibility of HR departments.
It is an interesting time to be working in the HR industry. The data transformation of the workplace is not only making the way businesses operate faster and more flexible, it is also altering the responsibilities of HR departments and personnel across organisations.
HR departments need to maintain control of both their data and the actions of employees who have access to that data. With a data boom across multiple industries, compliance and education are more important than ever and will continue to be so. Ultimately, organisations that lose control over the security of their data run the risk of failing compliance with the Data Protection Act, and any breach will inevitably be expensive and damaging to an organisation’s reputation.
Main image credit: https://www.flickr.com/photos/jakerust/