Personal data is any information relating to an identified or identifiable natural person (data subject) such as a name, an identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. HR professionals, by the nature of their work, deal with these kind of data most of the time. Resumés, employment contracts, payment slips, performance records all contain personal data.
“So why is HR responsible for data security,” you may ask. “That’s an IT issue?”
The reality is that the buck stops with HR. Data security is an ongoing part of any employee experience. So the responsibility naturally falls to the department tasked with overseeing recruitment, employee training, company culture and the redress process. HR departments collect and process large amounts of personal data not only from their employees but also from job applicants, contractors and former employees. The information they possess includes sensitive data such as health information, medical records, and salary levels. Hence, it is of utmost importance that HR professionals are aware of the requirements of the new data protection regulation and process personal data accordingly. HR has to implement data protection policies and procedures, educate the workforce and provide awareness training. Employees need to buy into this process from the moment they join the firm.
Unfortunately in most organisations, privacy and data protection are low down on the priority list of HR departments. From a HR administrative process therefore, Data Privacy involves rethinking every aspect that requires the employee’s personal data, right from the recruiting stage.
However, building the right culture around privacy and security takes a proactive approach, rather than a reactive one.
It’s far more effective to have your employees embrace necessary privacy and security processes than it is to be left rectifying mistakes created by unprofessional and unsafe behaviors.
A data privacy culture is one where every employee takes responsibility for individual data privacy rights.
It’s a culture where workers are empowered to know how to protect themselves, and the organizational provides the support needed to execute these behaviors confidently and effectively.
So what steps can Organisations and HR departments take to engender third kind of culture? As noted by Daniel Schwartz in an article entitled HR’s Increasing Role in Ensuring Data Privacy, the following steps could be helpful:
- Learn – This is NOT simply IT’s role; rather, HR professionals should have a key role at the table in discussing a company’s data privacy culture and practice. And the first step in that is that HR should learn the basics of data privacy.
- Assess – HR has access to lots of data; where is it and who has access? Where are you “leaking” data when it comes to your employees?
- Develop – Develop policies and your data privacy program; and develop the teams of people that will respond in the event of a data breach
- Educate – Data privacy and protection ought to be part of sustained training program, just like anti-harassment training
- Monitor – Figure out risks and review areas; when breach happens, HR needs to be at table to discuss employee impact
- Inform – When (not if) if you have a data breach, inform those affected and gov’t officials and implement your data breach plan.
For human resources, I think this is one of the more complicated times to be in HR. Between privacy, equal opportunity/discrimination laws, wage laws alone, there are many issues to keep on top of. Make sure data privacy is on your list of things to pay attention to for this year.
To learn more about Data Privacy and the impact it can have on your organization as well as to apply appropriate governance, privacy and data protection controls to help reduce risks, issues and threats, register now for our Data Protection and Information Governance Intensive, March 26th 2019 and Hilton Trinidad. Visit our event page at www.equigov.com/dataprivacy2019 for more information or email us at firstname.lastname@example.org; email@example.com of call at 1-868-461-4572.