With the rise of remote working there is more sensitive data being handled digitally and this comes with accompanying risks. William Howard provides practical tips for HR to improve their data security practices.

The rise of remote work as a result of COVID-19 has accelerated the amount of sensitive data that’s being handled digitally, and the risks are greater than ever. IT is generally considered responsible for data security, but they cannot mitigate this risk alone. 

Research shows that employee actions are the biggest cause of data breaches. As such, HR professionals have a role to play not only in educating employees on how to best identify cybersecurity risks, but also in educating themselves to protect the employee data that they use and have access to.

In a time when scrutiny on organisations’ data privacy practices is greater than ever, and more employees are accessing and sharing data from remote locations, it’s time for HR to focus on improving its practices around data security.

But how should HR professionals begin to execute on this business need?

Good data governance is key

In the last few years, strategic decision making has been increasingly reliant on harnessing data insights. HR technology enables employee data to be used for both the talent programmes HR facilitates and across the business lines the department supports.

HR houses some of the most sensitive company data and needs to be fully engaged in educating not only their own teams, but all employees

But with big data, comes big responsibility. Regardless of the seductive allure of big data insights, it is becoming increasingly difficult for organisations to just harvest and use data freely. Due to increased regulations around the usage of data, HR has to acknowledge that it does not have free reign to use the data it possesses.

Complying with data regulations can be complicated at the best of times, but it becomes even trickier with remote work, where the controlled office environment is traded for home, or even public, internet connections.

With remote or flexible work environments likely to remain the norm for the foreseeable future, here are some practical tips for HR to improve its data security practices:

1. Identify the data that you collect – starting with the systems where personal data is collected and stored, and make sure data is never stored locally on laptops or computers. Many HR policies and processes involve the collection of personal data, so map how data is collected throughout the entire employee lifecycle, from job candidates to alumni.
2. Implement data protection policies – employees need to be aware of the need to protect sensitive information, as well as understand how personal data is being used and why. Collaborate with IT to craft policies, ensuring that the following is included: acceptable technology use, password format and changes, employee ethics, data protection responsibility and practices.
3. Determine how long data is stored – organisations, especially those with operations in multiple regions, states, or countries, often have varying retention requirements due to applicable employment laws. Build ongoing processes to purge data that has reached the end of its legal retention period to reduce the risk of keeping data unlawfully.
4. Maintain HR data by centralising it as much as possible – at a minimum, organise archived data into chronological folders and remove their contents often. Leverage technological retention settings to enforce the data removal processes you have developed. Most talent systems can be configured to automatically remove old data once a retention period is reached.
5. Conduct training around data usage, privacy, and cybersecurity as part of every employee’s onboarding activities, and offer refresher training on a regular basis. Routine phishing simulation campaigns can help identify employees who may require further training.

What should that training include? Here are a few ideas:

• Recognising spear-phishing
• Password protecting Excel files
• Using employee IDs, not names
• Limiting the sharing of personal information
• Restricting access to HR files
• Talking to current and potential vendors about data security

Active, cross-departmental effort is required

Passive compliance with data regulations isn’t good enough. All business functions – including HR – need to demonstrate compliance with their data protection obligations, especially in a remote environment. Like any cultural shift, to change habits and behaviours you need to involve and educate people in the solution to generate positive results.

By reassuring employees about the confidentiality and anonymity of their data and, more importantly, providing them with the opportunity to participate in the change, organisations can leverage direct feedback from employees on how they actually behave and interact with data to ensure HR is meeting data protection obligations in practice.

All employees, and leaders in particular, have a role in creating a culture of data protection. HR houses some of the most sensitive company data and needs to be fully engaged in educating not only their own teams, but all employees.

Develop training that guides employees about what actions to take, and what actions to avoid, to protect the organisation’s data. When everybody becomes well informed on how their actions can compromise data and the potential damage it can cause, HR can harness this opportunity to engage employees and make meaningful change.

About the author

Will Howard is manager of research and advisory, at McLean & Company, the HR research arm of Info-Tech Research Group.