GDPR compliance: is your business at risk of an employee information data breach?

(Image credit: Image Credit: Balefire / Shutterstock)

Since the introduction of GDPR last year, small businesses have faced increased pressure to develop and alter their existing policies in line with the new rules around data handling and compliance. Businesses of all sizes are fully conscious of the crippling €20 million or 4% of annual turnover penalty that non-compliance can incur, and understand that even the smallest and least equipped businesses must keep private information secure and accurate.

While these laws were implemented to preserve individual privacy amid ever-increasing cyber surveillance, staying compliant is easier said than done – as illustrated by the various breaches and fines a year on. These reports are revealing human error also plays a huge part in the slip-ups; and every business is comprised of real people, who are capable of making real mistakes, albeit unintentionally.

The focus of GDPR has largely remained on its impact on marketing as an industry. Indeed, the Information Commissioner’s Office (ICO) regularly announces firms that have been fined for nuisance calls and spam emails, but another crucial department which often gets overlooked when it comes to GDPR is HR. Arguably this department has far more to lose – holding incredibly sensitive data on employees, such as payroll, disciplinary issues and health records. This isn’t limited to employees, either; interviewees and anyone who’s credentials pass a HR manager’s path are included in this data.

So, thinking specifically about HR, what can small businesses do to avoid landing in hot water with the ICO? And how can they continue to remain compliant given everything else on their plates?

Regulation minefield

The idea of bank details, passwords and contact numbers floating in the ether and potentially vulnerable to hacking has meant that misconceptions around tech benefits are rife. Businesses are reluctant to trust technology with personal data for these reasons, and employees are tasked with securely storing it.

But, ironically, some of the latest data breaches happened through misplaced legacy hardware and negligence toward password protection. In other words: mistakes real people have made.

Take the Heathrow worker, whose misplaced memory stick resulted in a hefty £120,000 fine by the ICO. The USB contained 1,000 files with passport numbers, names, dates of birth; enough for a fake identity to be forged? Certainly.

What's more, since May this year organisations only have one month to handle Subject Access Requests (SARs) – whereby someone requests the organisation deletes all information held on them from the system. For an organisation where disparate systems or spreadsheets are used to store HR information, this would be a nightmare to handle. And of course, this challenge becomes even greater for small businesses who may have someone in part-time to handle HR, or it could fall to the office manager to handle.

This is where dedicated HR management software systems can help. By centralising all employee information within a single, secure system, HR staff and business managers can help mitigate the risk of a data breach at the same time as ensuring that if an employee does make an SAR, the required information can be gathered and provided easily and quickly.

It’s important to look for a system to which any documents or information uploaded can be shared securely, and where everyone within an organisation has their own unique login. Equally important is the ability to set different access and user permissions. This ensures that people can only see what they are meant to see and that HR administrators have control of what documents and information are visible to people. 

Cloud computing, HR and small business security

It’s time to let go of misconceptions around the available tech solutions. Usually, the first port of call for businesses is to adopt cloud technology for creative, strategic and everyday operations. According to the Cloud Industry Forum, 88 per cent of IT and business decision-makers use one or more cloud-hosted apps, and 67 per cent were keen to ramp up adoption last year. However, with the GDPR’s intimidating legal penalties looming, some are still hesitant to trust the technology.

Unsurprisingly, ideas around mixing sensitive employee data with technology can cause reputational damage beyond repair and stress for those involved. Historically, management software was once fed off in-house servers with the need for IT staff to maintain it. Of course, for small businesses with scarcely enough resources to facilitate a computer network, such a luxury was out of the question.

And despite the various technological developments for speeding up working process, it seems we’re working just as much – if not more – than last century’s workforces using typewriters and telegrams. What gives? It’s a common misconception that putting more manual processes and spreadsheets at employees’ fingertips will streamline staff management. In reality, it can achieve the opposite.

Enter cloud computing. Not a new discovery, although sometimes it’s treated as such. A multitude of tech providers’ offerings are fundamentally cloud-driven. It’s the direction businesses are moving in.

One particular element to look out for in cloud platforms is an ISO 27001 certification, as it confirms the legitimacy of the system you’re using. It’s a hallmark for an information security management system. So, you can rest assured that sensitive details are securely stored under digital lock and key.

In fact, by adopting cloud-based HR software – and assuming it is ISO certified – many businesses will benefit from having employee information stored in state-of-the-art datacentre facilities which would set them back hundreds of thousands of pounds to establish and support themselves. In a time when Denial-of-Service attacks, phishing and password attacks are increasingly common, professionally managed data centres which have been properly ring-fenced are a far safer – and cheaper – option than managing their own in-house server infrastructure.  

Practical suggestions to bolstering data protection

Mustering up funds to hire more HR recruits to tackle the increasing workloads is an easy fix for giant corporations. But for SMEs, having staff wear multiple hats is one of the only affordable solutions – much to their detriment. That’s not to mention the double and sometimes triple titles employees bear, meaning one absent person can mean an entire department is nowhere to be seen.

As we’re not blessed with foresight, ensuring GDPR compliance involves planning and smart procurement of the right systems, especially for smaller companies. HR data needs to be condensed into one singular system and not spread out across disparate ones; this also minimises the risk of human error. Platforms must automatically generate regular backups of sensitive data records on top of authorised log-in details which can be cancelled in seconds. This will prevent it from falling into the wrong hands and staff couldn’t lose the data even if they tried.

SMEs need to play to their strengths, one of which being their agility and ability to adapt according to current business trends. Crucially, this ability to decisively adopt and trial innovative technology is what drives their competitive advantage. Businesses need data-management technology equally as lean and intelligent as they are to brave the GDPR storm – or risk receiving a fine that might sink the whole ship.

Jonathan Richards, Founder & CEO, Breathe
Image Credit: Balefire / Shutterstock