by Alexandre Menguy, Global Security Manager August 15 2017
Subscribe To Stay Up To Date
Cyber attacks have been making headlines in recent months, especially with the Wanna Cry and NotPetya attacks in May and June. And with the fast approaching deadline for GDPR compliance, set for May 25, 2018, the issue of data security is becoming more and more of a concern for organizations. What impact will this have on HR?
The GDPR: A New Era in Data Security
The GDPR (General Data Protection Regulation) introduces a new set of regulations for the protection of personal data and privacy, which will have a resounding impact on security measures. Because the new regulations will significantly change how privacy is managed, security must be managed in advance of GDPR going into effect.
The Impact on HR
From their start date to their last day on the job, employees generate a large amount of personal data that HR must collect, manage, and store - for instance, a simple Excel file containing contact information constitutes personal data that must be properly managed. New regulations under the GDPR will directly impact the requirements for how this information is managed.
Changes Under the GDPR
The objective of the GDPR, which will go into effect in 2018 in Europe, is to give control back to citizens over their personal data through a single, unified set of privacy protection rules for the European Union.
On May 25, 2018, the GDPR will effectively replace the 1995 Directive (95/46/EC). The new regulation will apply to all countries in the same way. Any company with employees residing in the EU must comply with the GDPR, even if the company’s main offices are located elsewhere. Additionally, the GDPR’s requirements will apply to third-party vendors (or data subcontractors) who process employee data on behalf of a company with employees residing in the EU.
The 5 Main Principles of the GDPR
Accountability: the burden of proof of compliance is placed on the company.
Privacy by design: privacy regulations must be accounted for in the design of information systems, databases, and applications.
Security by default: the default configuration settings in all software must be the most secure settings.
Privacy impact assessment.
Data Security Issues in Articles 32 and 33
Safety objectives under Article 32 include:
Use of mechanisms like encryption and anonymization to reduce the exposure of private data
Confidentiality, integrity, and accessibility of systems and processing services
Access to personal data in the event of an incident
Testing, analysis, and evaluation
But Article 32 is not the only article that can affect security. Thus, Article 33 introduces a notification requirement in the event of a security event leading to the loss, disclosure or destruction of data. Even if this is not explicitly described in the regulation, notification implies being able to detect these potential security events, also known as Data Breach.
For HR, this translates into a heightened focus on:
Communication about general data protections
Security and entitlement management
Data retention policies
Global information for candidates and collaborators
Security, privacy, integrity, accessibility, and notification requirements are integral to PeopleDoc services. We go beyond our customer’s expectations to proactively maintain the security of our cloud-based services and our internal processes:
Data encryption, both when data is at rest and in transit
Perimeter security and network segregation
Protection against attacks on services and applications
Multiple security testing strategies, including annual security audits, private searches for bugs, and continuous security tests
Organizational security, including IT security management system (WSIS) certified ISO/IEC 27001
Software development lifecycle, to ensure software security throughout its development
Internal awareness program for security risks, practices, and data privacy
Implementation of an HIDS intrusion detection system
Dedicated security team for platform monitoring
Far from being a set of restrictive constraints, the GDPR is an opportunity for HR to optimize data management processes as well as enhance the employer brand for their company. While there is a business challenge to comply with these regulations, it’s also an opportunity for HR to engage with employees throughout the process.
Your Complete GDPR Checklist
Identify sensitive data
Write a charter of good practices
Define the role and responsibilities of the Data Protection Officer
Prepare for the possibility of a data breach
Create a catalogue of your employee data
Communicate internally and train your staff
Alexandre Menguy, Global Security Manager
Alexandre Menguy is Global Security Manager at PeopleDoc. He manages PeopleDoc's information security management system and ensures the maintenance of the security certifications. He is a former senior cybersecurity advisor and auditor.
Alexandre holds a Master's Degree in Engineering from Telecom Paristech an lives in Paris, France.