Compliance in PracticeCybersecurity & Risk ManagementData Protection

Data protection, confidentiality and IT security: How to build a legally compliant HR department?

IT Security und Human Resources
252x252_arthur_heydata_882dfef0fd_c07468184b.webp
Arthur
20.06.2023

Today, most companies have completely digitized their HR processes, personnel data and personnel files. This has many practical advantages for the HR department and enables employees to quickly access their own data and increases transparency. Likewise, increasing digitization also creates risks that should be consciously avoided and reduced. Data theft and leaks can result in significant harm. Additionally, the size of a company is a factor to consider, as solutions that may work for a small team of ten employees are often not easily scalable for larger teams of 100 employees. To establish a robust structure and proactively mitigate risks, we present five key pillars of HR compliance. By implementing these pillars, organizations can foster a healthy environment and effectively contain potential risks.

5 Pillars of HR Compliance

1. Raising awareness of data protection in the HR team

How often should HR departments deal with the issue of data protection? Johanna Große Daldrup from torq.partners emphasizes the great importance of data protection in HR: 

“As an HR team, we have a responsibility to handle our employees' data with care. For this reason, the topic of data protection is an important hygiene factor that should be addressed much more.”

By raising awareness of data protection, whether through training and continuing education, the topic can always be integrated more naturally and consciously into processes. An internal audit of who works with what data and has access to it is the first step. Behaviors and internal processes must be adapted in the second step. For example, e-mails containing documents on sensitive employee data should only be sent in encrypted form. Not only virtually, but also spatially, the HR team should pay attention to secrecy and data protection. Particularly in shared desk policies or open-plan offices, the HR team should introduce privacy filters for the screens. It is advisable to set up a separate office in the building for the HR team to ensure open discussions on salary data as well as telephone calls with the payroll office. Home office and remote work are playing an increasing role. The HR team should be trained and sensitized separately for this. It may be that termination letters are no longer forgotten in the office copy room, but that the employee's own screen is left unlocked in the co-working space or that no VPN is used.

2. Access rights

In any good HRIS, viewing rights for individual employee data can be customized. Who is actually allowed to see what, edit what and why? This is a question that should be asked daily in the HR department. It becomes especially difficult in the gray areas: Is it allowed to send an employee's address to the manager because they want to send a bouquet of flowers for recovery? Is it permissible to share a requested report on diversity with the communications team if it contains a detailed list about employees and not just an evaluation of the data in aggregate? Clear guidelines and policies need to be developed here so that every request does not turn into a policy discussion. These can be developed internally together with those responsible from data protection, the legal department and HR.

3. IT security

Today's HR team faces new challenges in times of home office and remote work: What happens if an employee from the workstation in Costa Rica does not log into the company network via the VPN? 

Without a strong IT partner at hand, it will be difficult to establish a legally and IT-secure HR department. Issues such as VPN usage, home office setup or the introduction of single sign-on for new HR systems need to be considered, but also pose challenges. A close exchange with an external or internal IT team can help with problems and ensure IT security.

4. Internationalization

The complexity of legal security increases significantly when employees are hired in different local entities in other countries. During the introduction and hiring process, the HR team must address what is legally required in the respective country context and how this can also be taken into account in the global corporate context. Guiding questions here are: What personal data may I request from the employee and store in an HRIS? Which data is voluntary? Which of the employee's documents may the manager also have access to?

5. Data protection breach

The emergency has occurred and there has been a data breach. Each breach must first be assessed internally to determine whether a report to the relevant data protection authority (by federal state) is necessary. The notification depends on the severity of the breach. For example, if an encrypted data carrier is lost, no notification is usually required. The most important step is to thoroughly document the data breach and implement immediate countermeasures. 

The goal here is to focus on continuous improvement and create greater awareness. Reporting is not about assigning blame, but about providing so-called "post-mortem" education and creating awareness and sensitivity to the issue. When data protection gaps are uncovered, it must be possible to improve them immediately without first talking about responsible parties.

One thing is clear, a legally compliant HR department does not come about by chance, but must be continuously built up, evaluated and improved. This includes regular training on the topic for the HR department and open collaboration with the relevant stakeholders in the other departments.