blackboard - stock.adobe.com
5 best practices for HR data compliance
HR data compliance requires sharing data rules, carrying out audits, involving IT and legal, encouraging secure data sharing and removing terminated employees' system access.
Data breaches can have a devastating impact on a company, potentially leading to negative effects such as lawsuits and government investigations. Every HR department must take steps to protect employee data, no matter the company size.
Big data breaches are likely top-of-mind for HR leaders, but HR staff must also avoid small breaches, such as giving a worker access to confidential employee information that the worker does not require. HR staff should also be familiar with the employee data laws that are applicable to their organization.
Here are some best practices that HR staff must follow to ensure their company avoids any data compliance issues.
Commonly applicable national, international employee data laws
Many countries and smaller areas within them, such as states and provinces, have passed legislation requiring companies to protect their employees' personal data. These laws outline required practices when handling and sharing employee data, such as restrictions on who can see different types of data, acceptable storage methods and rules for data retention.
HR leaders should confirm if any of the following laws affect their organization. Multiple laws may apply to global companies with employees living in more than one country.
General Data Protection Regulation
The GDPR is a regulation developed by the European Union that dictates how companies can collect, use and dispose of personal data in a professional setting. The regulation's definition of personal data encompasses any personal data about an employee.
Many countries have implemented variations of this regulation following the GDPR's release in Europe.
California Privacy Rights Act
Under the CPRA, companies must tell workers who live in California about the personal data gathered by the organization and the way that the company is utilizing that information.
Companies must share an alert about their policies related to sharing or selling data and data retention, among other policies.
Personal Information Protection and Electronic Documents Act
PIPEDA is Canadian legislation that dictates how federally regulated companies can collect, use and share employee data.
One of the requirements of the act is that organizations must obtain permission from an employee to gather the employee's personal data.
5 best practices for HR compliance with employee data
HR leaders should ensure their department is following these best practices.
1. Share data rules with employees
Employee training is one of the most important steps a company can take to ensure HR data compliance, and the education can range from training HR staff members to teaching employees outside HR about compliance.
HR staff who are overseeing the compliance training should consider that different employees may have different data training needs. In addition, compiling short guides for workers to refer to when needed could be helpful for employees learning about compliance.
HR should schedule follow-up data training every year and consider adding sessions if significant changes are made to laws affecting employee data.
2. Carry out audits
Performing regular audits helps identify data compliance issues before they become a bigger problem.
Data compliance audits may require HR staff to confirm that the compliance training material is still accurate, which can be particularly necessary if laws or employee contracts have recently changed, and confirm that employees have completed the necessary data compliance training.
3. Involve IT and legal if needed
The IT and legal departments can each bring expertise to the topic of data protection. Members of the legal department can confirm that the company's training and policies adhere to the laws applicable to the company, and they usually become involved if problems arise or if employees have questions that a member of the legal team must answer.
The legal department may also get involved when the company is buying new software, as members of the legal department may confirm that the locations of the vendor's data centers are compliant and review the vendor's data privacy policies.
IT is of course also involved when acquiring new systems, and IT staff often also confirm that new software upgrades are compliant with data policies.
4. Encourage secure data sharing
HR staff must emphasize to employees the importance of only sharing information through the proper channels.
All employees must avoid sending confidential information through unsecure channels, such as email. Instead, employees should share sensitive data using tools that limit who can see the data. Requiring employees to use strong passwords and forcing users to change their passwords on a regular basis are other important steps for remaining compliant.
Organizations that operate in highly confidential industries, such as the military, may require additional data safeguards. Employees in these fields may not be allowed to use USB keys or other devices that would allow an employee to download confidential information, such as a co-worker's home address.
5. Remove system access for terminated employees
HR staff must work with IT and any other applicable departments to ensure that employees who leave the company lose access to all systems.
Revoking former employees' access to confidential information helps protect the company and removes any risk of a former employee misusing confidential data.
Eric St-Jean is an independent consultant with a particular focus on HR technology, project management and Microsoft Excel training and automation. He writes about numerous business and technology areas.
