How safe is your employees’ data? Do you have the necessary protocols and systems to protect your organisation’s information? Are you on top of the personal information security law in your respective region?
These are tough questions, but it is impossible escape from them. In a world where we rely more and more on digital information storage, we are also exposing ourselves to digital data breaches. And we may never know who has accessed our data if a breach occurs.
Data breaches have made headlines around the world in recent years
In the past few years alone, there have been a number of high-profile data breaches, exposing a range of company data. In 2019, hackers used crawler software to scrape customer data from the biggest Chinese shopping platform Taobao – owned by Alibaba – impacting over 1 billion customers.[1] LinkedIn, the largest professional social network, suffered from a comparable attack in June 2021. On a dark web forum, over 700 million LinkedIn users’ data, including real names, email addresses, and phone numbers, were posted for sale.[2]
How the world has reacted
The European Union issued the General Data Protection Regulation (GDPR) in 2018. To illustrate how important data protection is on the current agenda, it sets out fines for companies that fail to adequately protect individuals’ information – companies that fail to comply with the regulation can face fines of up to €20 million or 4% of their entire global turnover, whichever is higher[3].
EU is not alone. In November 2021, China introduced the new Personal Information Protection Law (PIPL), which even applies to activities taking place outside of China, if relevant to individuals within China. For example, any business whose activities involve providing goods or services to Chinese citizens or may involve analyzing their behaviors needs to follow PIPL.[4] Brazil has Lei Geral de Proteçao de Dados (LGPD), and Japan has Act on Protection of Personal Information (APPI).
What these laws mean for your employees’ data
It goes without saying that each country or region has its unique law, but the underlying principles are similar. ADP has listed a few below:
- You need your employees’ consent to use their data – if you want to use their data for a new purpose, you need to get another consent for that specific use. This applies to the information you manage through your payroll software, as well as your organisation’s other HR solutions.
- Organisations have a responsibility to protect their employees’ data – if personal data is lost or stolen, you have a duty to inform the affected employees, as well as to report the loss of data to your local supervising authority in time[5].
- You should only collect data that is absolutely necessary – companies should follow the principle of minimal necessity. For example, some companies collect their employees’ biometrics and fingerprints to help them enter the facilities more easily, but is this necessary when an access card could do the same job?
Steps to take
Before diving into the laws and regulations in your respective country, maybe you should take a step back and see whether your organization has been proactive. ADP has prepared a few steps to help you enhance your organization’s data security.
- Establish a formal procedure – What information should be collected and for what purpose, when and who to collect it and where and for how long to store… – there should be a formal and strict procedure that everyone needs to follow, and any violation should be followed by a penalty.
- Limit the number of technologies – Be it payroll or other solutions, always use a small number of technologies, so that there will be a smaller risk of unauthorized access and data loss.
- Restrict access – Only people who have a need to know the information should have access.[6] For instance, managers should only have access to information related their subordinates’ performance.
- Provide training – Everyone needs training, top leaders as well as employees, and those who need to deal with sensitive personal information need extra help. Remember to include the common tricks that information thieves and hacks use to gain unauthorized access.
You need the right HR solution
Fortunately, we are living in an era of digital transformation, and can always turn to technologies when the demands are high. The right HR solutions can customize your privacy and data protection at each stage and perform data flow mapping and privacy assessments on all the data processing activities. Personal data will be collected in compliance with laws and regulations, and the process can be automatically updated whenever there are any legislative adjustments. It is a great time to check out which solution is for you.
Sources
- https://www.cpomagazine.com/cyber-security/web-scraping-on-alibabas-taobao-resulted-in-data-leak-of-1-1-billion-records/
- https://www.upguard.com/blog/biggest-data-breaches
- https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018
- https://www.clydeco.com/en/insights/2021/10/china-s-personal-information-protection-law
- https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-law-enforcement-processing/penalties/
- https://www.hrmsworld.com/hr-data-security-threats.html