Personal Employee Information - Handle with Care If You’re in HR
By Owen Sorensen on 12 Feb 2019
A recent article in the Economist, asserts that the world’s most valuable resource is no longer oil, but data. However Nick Ismail in an article on The Information Age equated the fuel of this new data economy to be more like uranium than oil. His reasoning is that “the less you handle it and the fewer people who access it, the less likely it is to leak or cause harm.”
That is a great analogy and so true on so many levels.
According to Gartner Market Guide for Data-Centric Audit & Protection, most people don’t think of the data they create, access and store in terms of toxicity, but the same assets that drive revenues, or establish goals can and do become toxic more frequently than ever before.
For this article we just want to focus on the implications for HR Managers, i.e. those people who oversee the hiring process and handle all the sensitive personal documentation that prospective job candidates must supply to progress through recruitment channels.
This documentation ‘uranium’ is indeed a potential lawsuit in the making if your processes have not evolved to meet the challenges of the digital age.
If you’re still emailing candidates requesting they forward their bank details, visas, passports, background checks etc. then you need to read this article. Are you still using Excel spreadsheets or equivalent? Is this HR folder accessible to others in your company? And looking beyond cyber threats to immediate costs, do you lose hours in the day chasing this all up and store it on vulnerable servers? According to one PlanetVerify client, chasing up applicant information via email and telephone used to eat up an average of almost 23 minutes in HR time per task, costing €14.53 in wages based on an HR manager staffing cost of €30/hr. With each applicant often necessitating multiple admin tasks, the time (and costs) spillage mounts up quickly.
If any of this rings true, then you are very exposed to serious data breaches and leaks.
If the worst happens and the ‘uranium’ leaks, do you even have a crisis management plan in place? In 2016 Sport Direct had a serious leak of personal documentation on their 30,000 employees and they didn’t even inform these employees for over a year.
"The way Sports Direct has handled their data breach last year is a perfect example of how not to deal with a cyber-attack...Keeping their 30,000-strong workforce in the dark for over a year is simply unacceptable." Dr Jamie Greaves, Chief Executive at cybersecurity company, ZoneFox.
Publishing company Mansueto Ventures, which publishes Fast Company and Inc., was also recently targeted by internet criminals in an email 'phishing' scam and sensitive personal information about current and former Fast Company and Inc. employees was leaked in the attack.
A recent Forrester study highlighted that only 41% of 150 organisations knew where their employee data was located. As reported in the Information Age, this information is often stored in databases or HR systems, either on-premise or in the cloud. However, more often than not, personal information also finds its way into files and emails, downloaded and saved locally.
These processes were designed for easy collaboration but they lack the controls to properly monitor and protect sensitive information.
According to this report from Media Pro 88% of respondents lacked the necessary awareness to stop preventable privacy or security incidents.
Employer/employee trust is at stake here.
If you show careless disregard to your employees data, don’t be surprised if they do the same. According to a recent Forcepoint study, European companies are facing multiple challenges to protect employee data:
35% of employees admit to have been involved in a security breach
14% of employees would jeopardise their job by selling work logins to an outsider
40% of those would do so for less than £200
27% of US office workers would sell their password
“Research has consistently shown that breaches caused by employees are among the most damaging around in terms of their financial and reputational impact. Organisations that ignore the potential security risks that can be caused by employees and other insiders miss an opportunity to strengthen their security posture and protect their companies more broadly,” Mike Smart, Product and Solutions Director at Forcepoint.
If you are responsible for handling, collecting and storing, personal employee documentation, you will need to assess your processes as a priority. The situation is exasperated when you’re dealing with low skilled and high turnover industries, simply because the volume of this data will exponentially grow with every new hire.
Trust is key and with GDPR guidelines now in place, any disregard for employee privacy law and employee privacy rights to personal information will be heavily punished, so this is no longer something that can be put off.
Rather than see GDPR as a challenge, it should be greeted as a welcome opportunity to lock down your processes around data protection and privacy. It’s a good thing for both employees and businesses. Your staff will know they can trust you to manage their information correctly and have a clear understanding of who can see what. Trust is established and reciprocated and you’ll be safe in the knowledge that you’re doing all you can and should from a data protection point of view.
You might be asking yourself if there was an easy way to automate the collection and storing of personal employee information in a way that bypasses email and spreadsheets vulnerabilities and encrypts everything at every stage of the process and basically covers everything you need to do from a GDPR and employee trust standpoint.
The good news is that there is and it’s called PlanetVerify. Get in touch for a demo and see just how easy it can be to eliminate all the stress and risks associated with employee personal information.