By Chaitanya Peddi, Co-founder, Darwinbox
The implementation of GDPR norms in the past year has led to an industry-wide discussion regarding data privacy and the idea of data collection in public and private spaces. Among these spaces, organizational workplaces have emerged as a prime focus area, given the importance given to monitoring employee efficiency. The integration of technology within this space to aid in this form of surveillance has led to the collection and storage of vital employee data. It is this data that is now in jeopardy as multiple stakeholders raise the question of data privacy and security at the workplace. The need of the hour is for organizations to analyze their internal as well as the industry scenario to determine the best practices that can address this question.
Understand your data
The first step to be adopted is for companies to categorize the data that is captured and stored in their servers. According to GDPR standards, information deemed ‘sensitive’ includes personal aspects such as financial details, elements of identity and legal information as well as professional aspects such as company blueprints and details of inner workings. With respect to employee data, the former takes greater precedence as this information is normally entrusted by the employees to the company, making them responsible for its protection. The access to this information must be defined based on the data requirements of the role requesting the information. For example, social security information such as Aadhar cannot be mandated unless a use case for the data is established.
Construct an organized policy framework
The analysis of the data possessed by the organization directly feeds into the next step where these insights are used to create valid data policies for the firm. This involves looking at the timeline of data usage and removing it from the system when it is no longer valid. This ensures that in the vent of a breach, lesser damage is incurred due to proper data disposal. The first step to creating an organizational policy document is the understanding of the business compliance. Legal aspects must be ironed out and regulatory and reputational obligations must be considered. Each of these activities will ensure that the final document acts as a set of guidelines in key areas such as consent, access and breach management.
Ensure awareness across all stakeholders
Once this document has been created, every member of the organization must be made aware of its provisions. This involves being transparent and explaining the process of data collection to the employees, detailing what information is being recorded and for what purpose. By clearly stating the advantage using this data will have for the employee, the company helps create a more conducive work environment for all stakeholders. Those who handle the collected data must also be trained to process it in a manner that is in compliance with the protection obligations. Another advantage of doing so ensures that all data sharing remains consensual, an idea that the Indian government too espouses, as shown by the Supreme Court judgement in 2017.
Getting security right
While obtaining consent and compiling data is a massive endeavor, the subsequent step in the timeline is just as massive and important: data security. Ensuring both systems and processes are structured with the best interest to protect data becomes most critical. Organizations will need to thoroughly evaluate primary systems of record with respect to their ability to protect employee data. Some of the certifications that can help with this verification process are ISO 27001 (information security), GDPR compliance (legal information processing) and SOC 2 compliance (cyber protection). Both organizations internal processes and the HR technology solutions holding employee data should comply with these certifications to ensure safety.
Combatting data leaks
Certifications aside, one of the most pressing data threats that organizations must fight today is the theft/leakage of data, by internal staff especially in many cases. Access management systems in such situations must guard against unauthorized access by strengthening security checks. Along with this, companies must establish regular data backups for disaster recovery and also assess vulnerability of their systems from time to time. One should understand if their systems have undergone a VAPT (vulnerability assessment & penetration testing) test in the last 6 months to safeguard their data from threats. Ensuring data compliance once these policies and technologies are deployed will also ensure security remains a priority at all times.
As companies continue to navigate an increasingly digital landscape, data privacy will come to be a determining factor in the push for growth and success. HR departments in particular must be cognizant of the industry scenario and adopt best practices to ensure their employee’s data is not compromised. The evolution of internal data policies and measures is a necessity now and the efforts taken by companies today will determine the path the industry will take in the near future.
The opinions expressed in this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.