GDPR and Security: A Challenge or an Opportunity?

GDPR and Security: A Challenge or an Opportunity?

Compliance and Security

Est. Read Time: 3 min.

Cyber attacks have been making headlines in recent months, especially with the Wanna Cry and NotPetya attacks in May and June. And with the fast approaching deadline for GDPR compliance, set for May 25, 2018, the issue of data security is becoming more and more of a concern for organizations. What impact will this have on HR?

The GDPR: A New Era in Data Security

The GDPR (General Data Protection Regulation) introduces a new set of regulations for the protection of personal data and privacy, which will have a resounding impact on security measures. Because the new regulations will significantly change how privacy is managed, security must be managed in advance of GDPR going into effect.

The Impact on HR

From their start date to their last day on the job, employees generate a large amount of personal data that HR must collect, manage, and store - for instance, a simple Excel file containing contact information constitutes personal data that must be properly managed. New regulations under the GDPR will directly impact the requirements for how this information is managed.

Changes Under the GDPR

GDPR and Security- A Challenge or an Opportunity- (1).pngThe objective of the GDPR, which will go into effect in 2018 in Europe, is to give control back to citizens over their personal data through a single, unified set of privacy protection rules for the European Union.

On May 25, 2018, the GDPR will effectively replace the 1995 Directive (95/46/EC). The new regulation will apply to all countries in the same way.
Any company with employees residing in the EU must comply with the GDPR, even if the company’s main offices are located elsewhere. Additionally, the GDPR’s requirements will apply to third-party vendors (or data subcontractors) who process employee data on behalf of a company with employees residing in the EU.

The 5 Main Principles of the GDPR
  1. Accountability: the burden of proof of compliance is placed on the company.
  2. Privacy by design: privacy regulations must be accounted for in the design of information systems, databases, and applications.
  3. Dedicated oversight: the appointment of a data protection officer (DPO) is required.
  4. Security by default: the default configuration settings in all software must be the most secure settings.
  5. Privacy impact assessment.

Data Security Issues in Articles 32 and 33

Safety objectives under Article 32 include:

  • Use of mechanisms like encryption and anonymization to reduce the exposure of private data
  • Confidentiality, integrity, and accessibility of systems and processing services
  • Access to personal data in the event of an incident
  • Testing, analysis, and evaluation

But Article 32 is not the only article that can affect security. Thus, Article 33 introduces a notification requirement in the event of a security event leading to the loss, disclosure or destruction of data. Even if this is not explicitly described in the regulation, notification implies being able to detect these potential security events, also known as Data Breach.

For HR, this translates into a heightened focus on:

  • Communication about general data protections
  • Security and entitlement management
  • Data retention policies
  • Global information for candidates and collaborators

How PeopleDoc Supports GDPR Compliance

A digital solution, such as PeopleDoc’s HR Service Delivery Platform, can help HR meet these needs and optimize compliance with the GDPR.

Security, privacy, integrity, accessibility, and notification requirements are integral to PeopleDoc services. We go beyond our customer’s expectations to proactively maintain the security of our cloud-based services and our internal processes:

  • Data encryption, both when data is at rest and in transit
  • Perimeter security and network segregation
  • Protection against attacks on services and applications
  • Platform redundancy
  • Multiple security testing strategies, including annual security audits, private searches for bugs, and continuous security tests
  • Organizational security, including IT security management system (WSIS) certified ISO/IEC 27001
  • Software development lifecycle, to ensure software security throughout its development
  • Internal awareness program for security risks, practices, and data privacy
  • Implementation of an HIDS intrusion detection system
  • Dedicated security team for platform monitoring

Learn More About Our Security Policies

Far from being a set of restrictive constraints, the GDPR is an opportunity for HR to optimize data management processes as well as enhance the employer brand for their company. While there is a business challenge to comply with these regulations, it’s also an opportunity for HR to engage with employees throughout the process.

Your Complete GDPR Checklist
  • Identify sensitive data
  • Write a charter of good practices
  • Define the role and responsibilities of the Data Protection Officer
  • Prepare for the possibility of a data breach
  • Create a catalogue of your employee data
  • Communicate internally and train your staff
Download our memo to learn more  about the impact of the GDPR
Download our memo to learn more  about the impact of the GDPR

About Alexandre Menguy, Global Security Manager

Alexandre Menguy is Global Security Manager at PeopleDoc. He manages PeopleDoc's information security management system and ensures the maintenance of the security certifications. He is a former senior cybersecurity advisor and auditor. Alexandre holds a Master's Degree in Engineering from Telecom Paristech an lives in Paris, France.