Cyber attacks have been making headlines in recent months, especially with the Wanna Cry and NotPetya attacks in May and June. And with the fast approaching deadline for GDPR compliance, set for May 25, 2018, the issue of data security is becoming more and more of a concern for organizations. What impact will this have on HR?
The GDPR: A New Era in Data Security
The GDPR (General Data Protection Regulation) introduces a new set of regulations for the protection of personal data and privacy, which will have a resounding impact on security measures. Because the new regulations will significantly change how privacy is managed, security must be managed in advance of GDPR going into effect.
The Impact on HR
From their start date to their last day on the job, employees generate a large amount of personal data that HR must collect, manage, and store - for instance, a simple Excel file containing contact information constitutes personal data that must be properly managed. New regulations under the GDPR will directly impact the requirements for how this information is managed.
Changes Under the GDPR
The objective of the GDPR, which will go into effect in 2018 in Europe, is to give control back to citizens over their personal data through a single, unified set of privacy protection rules for the European Union.
On May 25, 2018, the GDPR will effectively replace the 1995 Directive (95/46/EC). The new regulation will apply to all countries in the same way. Any company with employees residing in the EU must comply with the GDPR, even if the company’s main offices are located elsewhere. Additionally, the GDPR’s requirements will apply to third-party vendors (or data subcontractors) who process employee data on behalf of a company with employees residing in the EU.
The 5 Main Principles of the GDPR
- Accountability: the burden of proof of compliance is placed on the company.
- Privacy by design: privacy regulations must be accounted for in the design of information systems, databases, and applications.
- Dedicated oversight: the appointment of a data protection officer (DPO) is required.
- Security by default: the default configuration settings in all software must be the most secure settings.
- Privacy impact assessment.
Data Security Issues in Articles 32 and 33
Safety objectives under Article 32 include:
- Use of mechanisms like encryption and anonymization to reduce the exposure of private data
- Confidentiality, integrity, and accessibility of systems and processing services
- Access to personal data in the event of an incident
- Testing, analysis, and evaluation
But Article 32 is not the only article that can affect security. Thus, Article 33 introduces a notification requirement in the event of a security event leading to the loss, disclosure or destruction of data. Even if this is not explicitly described in the regulation, notification implies being able to detect these potential security events, also known as Data Breach.
For HR, this translates into a heightened focus on:
- Communication about general data protections
- Security and entitlement management
- Data retention policies
- Global information for candidates and collaborators
How PeopleDoc Supports GDPR Compliance
A digital solution, such as PeopleDoc’s HR Service Delivery Platform, can help HR meet these needs and optimize compliance with the GDPR.
Security, privacy, integrity, accessibility, and notification requirements are integral to PeopleDoc services. We go beyond our customer’s expectations to proactively maintain the security of our cloud-based services and our internal processes:
- Data encryption, both when data is at rest and in transit
- Perimeter security and network segregation
- Protection against attacks on services and applications
- Platform redundancy
- Multiple security testing strategies, including annual security audits, private searches for bugs, and continuous security tests
- Organizational security, including IT security management system (WSIS) certified ISO/IEC 27001
- Software development lifecycle, to ensure software security throughout its development
- Internal awareness program for security risks, practices, and data privacy
- Implementation of an HIDS intrusion detection system
- Dedicated security team for platform monitoring

Far from being a set of restrictive constraints, the GDPR is an opportunity for HR to optimize data management processes as well as enhance the employer brand for their company. While there is a business challenge to comply with these regulations, it’s also an opportunity for HR to engage with employees throughout the process.
Your Complete GDPR Checklist
- Identify sensitive data
- Write a charter of good practices
- Define the role and responsibilities of the Data Protection Officer
- Prepare for the possibility of a data breach
- Create a catalogue of your employee data
- Communicate internally and train your staff
Comments