All businesses are required to comply with data protection legislation. Many organizations are not sure how to do this. Others simply choose to ignore and remain unaware of the consequences of doing so.
IN Team from Neeyamo caught up with Tim Musson at the CIPP Annual Conference in late 2016 at Wales where he held a session on the importance of Data Protection and Security in Payroll. Tim is the global authority and an industry veteran in data protection, information security and privacy related matters. He frequently talks at industry events on this. He currently serves as the Managing Director of Computer Law Training Ltd., UK and is also the Head of Computer Law and Data Protection at the The Security Circle, Glasgow, UK.
Tim is a busy person these days. Changing data protection regulatory environment – especially in the UK and European region has meant that his advice is much sought after.
IN: What is particularly special about HR Data?
TM: It is very very personal data. It has a lot of intimate details about people which includes a lot of what is technically called “sensitive personal data” which can be used for discriminating against people. It includes aspects such as ethnicity and race which could be superficial in nature – but this could also include information such as health details, court convictions for civil or criminal offences, which could be used very destructively against individuals. It is therefore very important that adequate measures are taken to safeguard all data that the HR holds. Think about what a criminal might tend to do if they got hold of it – there could be hate campaigns against certain groups of people based on the information made available to them.
IN: What are the data security issues that you believe a customer needs to focus on, while evaluating a vendor for their organization?
TM: I see the majority of the regulatory issues in data security emanating from the European Union. More stringent data protection norms will come into force under the Europe data protection legislation in the European Union once the GDPR comes in. It is important to realise that if you hold your staff’s personal data, whatever you choose to do with it – you are always responsible for it. Even if you outsource processes, you are still liable for any breach of data security that might occur. With the current EU legislation, any outsourced provider of data processing has no liability under the legislation – but under the GDPR they will however be held liable. So, when the GDPR comes in, if you are outsourcing the processing of personal data, you will need to have a have a different relationship with the provider. The provider will need to ensure that they comply with the security level required by the current legislation or GDPR.
I think it is especially important if we are talking of an outsourced provider providing services via internet, probably via a cloud provider. It is important to check that the whole supply chain is certified at appropriate levels such as ISO 27001 or a small organization in the UK could be certified under the new Cyber Essentials. Certification does not provide guarantees but it does reduce risk.
IN: Data security remains a major issue for HR Outsourcing services, but some businesses seem to believe that they are too small to be at risk. What are your views on this?
TM: My central view is that the size of an organization would not be a decisive factor to determine its risk status. Risk to data exists in any organization – some of the risk is local risk and some of the risk is a result of outsourcing. Of course, if you use an outsourced provider, it doesn’t matter if you are big or small, it’s the same level of risk you inherit with the outsourced provider. People seem to think that at local level they are too small to be at risk. If you think about things like phishing emails that are sent to people who are on a list of email addresses rather than the firm, they work in. So, risks are just as high for small organizations and possibly greater because there may be less awareness and training in them. There is also the issue of very targeted emails or ‘spearphishing’ – these may be more likely to occur in large organizations but can equally affect small organizations. Hackers often attack smaller organizations as they may well be an easier target. So, it is quite clear that there is absolutely no such thing as being small.
“You are responsible for what happens with your staff’s personal data”
IN: What is the biggest element that people overlook—in other words, what are the weak spots that you believe typically leaves organizations vulnerable to data security breach?
TM: Biggest problem I think that most organization have with respect to security is to almost purely assume that it is an IT issue. Most data breaches are people doing silly things. People are the weakest link. Best thing any organization can do is to start security awareness training. Also, employees should have only “need-to-know” access to information. This whole issue of having need-to-know access is very important. Small organizations cannot get a grip on this at all. There are various reasons why it is important – obviously, the less information a person has, the less information they can intentionally give away. So, that protects against rogue staff. Also, if you were to get a malware or ransomware attack, then the ransomware will only be able to access the information that the person’s account can access and the impact is limited. So, the whole issue of limiting the information the people can access is very great and in security terms, if we can include training to spot problems like ransomware before it hits them then you are lot safer.
IN: With respect to cybersecurity, do you have any HR Outsourcing insights that you can share?
TM: This is an interesting question that I had not anticipated. My immediate thoughts on that relate to the recent series of denial of service attacks that have been happening because of inadequate security and insecure devices. The world is full of insecure IOT devices and the tools to recruit these to botnets. The criminals are using these to send denial of service attacks to specific servers. I can easily see this hitting cloud providers in the HR area and destroying their service.
These risks are very real and could happen to any provider now in the cloud sphere.
I am not going to go into any detail of potential use of IOT within an organization as it is probably too complex to elaborate here, but clearly there is a possibility of monitoring staff activities from an HR perspective using IOT devices which can lead to privacy issues for the staff.
IN: What kind of impact do you think the new EU GDPR regulations would have in the market?
TM: One word comes up and that’s “HUGE”!
This will have a huge impact and I think it’s important to realize that any organization in the world that processes personnel data of individuals in the European Union will come under the preview of the GDPR. It is slightly more complicated than that but the biggest reason we need to worry about is the hugely increased penalties compared with the existing legislation. The potential penalties under the GDPR can go high as 4% of the global turnover. Now, that sounds a bit abstract. So, it’s probably worth looking at an example – recently the information commissioner in the United Kingdom imposed a penalty on TalkTalk which had a big data breach late in 2015 and the penalty was £ 400,000 which is the biggest penalty administered in the UK so far. If the same breach were to occur once the GDPR comes into force, which will be May 2018, that same breach could have received a penalty of up to £73 Million. That’s the general estimate that’s going around. Now, this is a completely different ball game. The penalties at the moment in the UK are a maximum of half a million pounds and these are big for small organizations but not so much for bigger organizations. But the new penalties are potentially terminal for any organization.
I think one thing that will spin out from it will be that the public perception of data privacy will change. The public will be much more aware of what the law is about because it will appear so much more important. And the way the GDPR is worded, the data subject’s rights are very much clearer and very specific in it. If somebody looked at this and said I have the right to object and then they object. I think the public will exercise their rights much more under this which will mean that members of staff for example may put in subject access requests to an organization where at the moment they don’t usually bother.
Another thing which will come in and this will actually apply quite a lot to organizations that process a lot of HR data, especially those who are providers in this area, is that they will be required to have a data protection officer. This is the case even now but under the regulation, the data protection officer will have a very significant power which is almost like an independent regulator within the company not subject to control by the company. This makes the appointment extremely difficult and extremely dangerous if you recruit the wrong person to the job. So, that’s a huge change there.
The other big change relates to certain providers in the HR operations market where the cloud provider is also a data processor where they are purely providing software which the client uses for very well defined purposes. At the moment, the cloud data processor has limited to no requirement for the data protection but under the regulation there will be obligations on the processor and potentially very significant penalties as well. That’s a huge impact from the GDPR.
IN: What are the key metrics that an organization should track to stay assured that its data security program is working effectively?
TM: This is again a difficult one here. Realistically most organizations don’t have a clue about data security. Many small organizations and even large ones don’t really appear to have a clue. Typically, an organization is told by a third party that they have had a breach because they’ve somehow had access to the data they shouldn’t have had access to. And of course, realistically they should be aware of this as under the GDPR there is requirement to notify the regulator that you had a data breach. So, it’s important that your data security is working at each level and that it can effectively track any data leaving the system. So, a good IT section with a strong security component should be able to deal with that. Amongst others, they will also do things like monitoring staff behavior. If they notice certain staff accessing more data than do normally do, they should be worrying about whether they are likely to leave the organization soon and whether they are lifting data from the organization. Logging of access to databases is also very important. There is no clear and easy approach really to ensure that your data security program is working effectively.
IN: From a data security perspective, what would be your advice to any organization operating in a trans-national/ trans-continental global environment?
TM: I suppose one of the big issues you must worry about in a trans-national and trans-continental global environment is to be aware of local regulatory requirements in all the countries that you’re operating in. You can even get into a situation where something is a requirement in one country and is illegal in another country. And as soon as you get that sort of conflict, that can make life very difficult for an internationally operating company. In the context of the European Union, I’d suggest that some very good advice would be – if you are based in the EU, then make sure any cloud provider you have stores data within the EU. Recently there have been some major problems in the EU concerning the legality of sending personal data to the USA and that’s still an ongoing issue even though it is temporarily resolved. Make sure you know where the servers are for any data stored in the cloud and as far as possible be aware of international differences in legislation. This is my main piece of advice.
Data availability and data consumption is exponentially on the rise. Ironically, along with this huge explosion in data availability and the emerging data consumption pattern, we are seeing a rising trend around regulations that seek to control the availability, use and abuse of data. Given the sensitivity, HR data has always demanded and will continue to demand highest level of data security. Organizations – both end-users and service providers – need to be aware of these changing regulatory requirements and ensure that their data security apparatus is top class.
Tim closed the conversation with a simple “keep in touch” – and we definitely look forward to collaborating closely with him as we keep working to ensure that as an organization, Neeyamo is in the forefront of personal data security and privacy.