Guide to Employee Data Protection & Data Privacy | WorkBright

Safeguarding your customer’s personal information is continuously discussed when it comes to business management best practices. However, it’s just as crucial that your organization is taking the necessary steps to protect your employee data as well.

Is HR responsible for protecting your employee data?

When you hire new staff members, you must collect personal identifying information to verify that applicants are who they claim to be to meet government reporting and disclosure requirements.

Some of the most commonly collected personal information that may be collected during employee onboarding includes:

• Address
• Birthday
• EEO data
• Email address
• Emergency contacts
• Name
• Social Security Number
• Telephone numbers

This and all other personally identifying information that an employer collects needs to be adequately protected from those with malicious intent. With well over 2,935 publicly reported data breaches between Q1 and Q3 of 2020, it’s never been more critical to implement and/or refine your business’s employee data management process.

What is employee data management?

Your employees are your most valuable assets. To prove that you value them and what they do, you should be taking every precaution necessary to protect their personal information. This is why employee data management is an absolute must-have for any business, no matter the size.

Employee data management is the practice of collecting and storing employee information, including pertinent personally-identifying information. HR teams typically use onboarding software to input new hire information into their database during onboarding and keep their information under lock and key—safe from those who don’t have the authorization to view or otherwise use the information.

Local laws may vary but companies are still expected to take the necessary steps to protect employee data overall. In fact, studies show that if your company isn’t proactively managing your employee data, it can lead to:

• Disengaged employees
• Decreases in overall productivity
• Fewer sales, etc.

How? If your employees know that you aren’t taking active steps to protect them, they know that they are at a higher risk of identity theft due to data breaches. If you don’t care about them, why should they care about you?

Navigating employee data protection laws

While general best practices are a great start, the regulatory environment for employee data has shifted from "optional" to "mandatory." Modern HR teams must navigate a web of state, federal, and international laws to avoid staggering non-compliance fines.

CCPA and CPRA’s impact on employee data

The CCPA (California Consumer Privacy Act) is a legal framework that grants employees rights over their personal identifying information (PII) and if you have employees in California, the CCPA and its expansion, the CPRA, are now in full effect. These laws grant employees "consumer-like" rights over their data, including the Right to Know exactly what is being collected, the Right to Correct inaccurate records, and the Right to Delete personal information that is no longer necessary for business operations.

GDPR: The global gold standard

Even for U.S.-based companies, the General Data Protection Regulation (GDPR) matters if you employ remote workers in the EU. It introduces the principle of Lawfulness, Fairness, and Transparency, requiring you to have a specific "legal basis" for processing employee data. Failing to provide a "Privacy Notice" that explains this can lead to penalties reaching millions of dollars.

The ADA and separate medical files

A common compliance pitfall involves the Americans with Disabilities Act (ADA). Under the ADA, any medical information (including disability disclosures or doctor’s notes) must be kept in separate, confidential medical files, distinct from the standard personnel file. Merging these is a direct violation that legal audits look for.

Eleven tips to help you protect employee data

If you’re looking for help protecting your employee data, you’re going to want to invest in proper employee data management. Not sure where to begin? Here are eight employee data management tips to get you started:

1. Understand how important your employee data really is

Before you can start implementing a plan of action, it’s important to understand just how important employee data is to not only you but to those who may breach your databases to collect this information for malicious purposes.

Personal Identifiable Information (PII), such as social security numbers and contact information, are all things that cyber attackers are after. With this information, criminals can assume your employees’ identity, open up new credit lines, access personal accounts, and steal from your employees.

When you realize just how important this information really is, you’ll see why it’s so crucial you invest in protecting your employees’ data.

Imagine all the data HR leaders get every day. Each of these pieces of data is important because they often link back to who our employees are and give out crucial information about them. If just one string of this data falls into the wrong hands, you can create a lot of havoc for your employees.

2. Adopt a "data minimization" mindset

Most organizations suffer from "Data Hoarding"—keeping every form and file "just in case." Be sure to collect only what is adequate and relevant. The safest data is the data you never collected.

Audit your onboarding process: Do you really need a copy of a birth certificate if a passport was provided? By limiting collection to what is strictly "adequate and relevant" for the job, you reduce your "attack surface."

Establish a Data Retention Policy that outlines exactly when data should be destroyed. Once an employee leaves and the legal statute of limitations for tax or labor claims passes (typically 3–7 years depending on the document), that data should be purged. This practice, known as Defensible Disposition, ensures that a breach of old archives doesn't haunt your company years later.

3. Define your privacy and security needs

Once you’ve concluded that you need to invest in employee data management, you’ll need to take some time to define your privacy and security needs.

This may require your IT team’s help because you’ll want to be able to identify any weak points in your current data management techniques/software. You’ll also need to outline what exactly you need to protect and what measures may be required to do so adequately.

Typically, your data management software should utilize AES-256 encryption for "Data at Rest" (information sitting on a server). However, the most vulnerable moment for data is "In Transit"—when it travels from an employee's laptop to your cloud. Ensure your systems use TLS/SSL protocols to create an encrypted tunnel, preventing "Man-in-the-Middle" attacks from intercepting sensitive Social Security numbers.

4. Define and share an employee privacy policy

You’ll want to take the initiative to outline your privacy policy and include what measures you’ll be taking to protect your employees and their information. Remember, if you aren’t taking the time to protect them and their information, you may see your employee productivity suffer.

Make sure your privacy policy is outlined in detail and that you share it with everyone you employ either digitally or via a printed memo/announcement.

5. Implement role-based access to sensitive data

Whether your team is creating an in-house employee data management plan or you’re investing in onboarding software, you’ll want to implement role-based access to help limit the number of individuals who have access to all personally-identifying information and sensitive data.

Some options will allow each employee to have a file that they and HR can access, while others will only limit access to HR personnel. Whatever route you choose, you want to make sure that access is as limited as possible.

At WorkBright, we offer a user permissions add-on to our onboarding software. With user permissions, you can add different users to your system and give them strict access to the files that matter to them. For example, you could make sure that a manager only has access to the files of people they manage/people in their department.

6. Invest in data privacy awareness training and vetting

Data breaches are rarely the result of a "movie-style" hack; they are usually the result of a well-placed phishing email. Implement Security Awareness Training for all staff, teaching them how to spot fraudulent requests for PII and the importance of never sharing credentials.

The individuals with the highest level of access—your HR and IT administrators—should undergo rigorous background checks and regular access audits. Use the Principle of Least Privilege (PoLP): Give employees access to only the specific data they need to do their jobs, and nothing more.

7. Have an updated crisis management plan

Unfortunately, no matter how secure you think your software or management plan may be, crises do happen. That’s why your team must have an up-to-date crisis management plan that includes three stages:

• Pre-crisis: The period before a crisis, where your team is monitoring for potential crises.
• Crisis: The moment of crisis, or when an attack on your system is underway.
• Post-crisis: The period following the crisis when recovery actions should be taken.

Your crisis management plan needs to cover each of these stages to ensure that your employee data management system actively protects your employee’s sensitive information and includes a recovery plan that protects them if their identity is stolen.

8. Invest in a robust data management or onboarding software

Suppose you don’t think your current team can set up a satisfactory employee data management system. In that case, you could benefit greatly from investing in robust data management/onboarding software or outsourcing your employee data management to a more experienced team.

When looking for employee data management software, you want to look for something that:

• Is easy to operate and manage
• Has fully remote working abilities
• Has privacy controls
• Is an HR software that meets SOC2 security compliance
• Is easily integrated with your business’s CRM and accounting management software

9. Utilize two-factor authentication on the software you choose

Once you’ve chosen your employee data management software or have developed an in-house system that you are satisfied with, you want to make sure that it has multiple privacy settings and requirements. Most importantly, you want to make sure you are utilizing two-factor authentication.

Two-factor authentication, also sometimes referred to as 2FA, is a security protocol that requires a user to use two forms of verification. In most cases, that means entering your typical sign-in information followed by a personal identification number (PIN) or using a fingerprint scan to prove that the user is who they claim to be.

In most cases, this will require that the person attempting to log into the account/software also have access to a secondary device to retrieve their pin, such as a cellphone or smartphone.

10. Never discuss personally identifiable information via email/text messaging

Finally, one of the most common tips that everyone should practice in handling employee data is that you should never discuss personally identifiable information via text message or email.

Doing so provides a paper trail that can be accessed by even the most basic of hackers. So, if you need to discuss any of this type of employee data with an employee or someone else (such as accounting personnel), ask to speak with them in-person or via Zoom to ensure that none of their information is put at risk of unauthorized collection/use.

On another level, be sure that you are keeping the same awareness level when communicating with any companies that hold your sensitive employee information. Hackers are becoming very smart and may use tools you use (or think you might use) to get sensitive information from you. Companies will never ask for your passwords via email or text message. Ensure that you keep this information under lock and key, even if you think you are talking to a representative of the company.

11. Secure personal data remotely with MDM and VPNs

With the rise of hybrid work, employee data is often accessed over unsecured home Wi-Fi.

• VPNs (Virtual Private Networks): Ensure VPN use is mandatory for any HR staff accessing the database remotely.
• MDM (Mobile Device Management): Implement MDM to allow HR to remotely wipe company data from a lost or stolen laptop, ensuring that a physical theft doesn't become a digital catastrophe.

Ensure employee personal data is secure

Your employees are your most valuable assets, and they should be treated and protected as such, which is why you need to invest in some employee data management. Otherwise, everyone who works with you is at high risk of potentially having their identity stolen and their lives impacted in a profoundly negative way.

Don’t let that happen — ensure all of your HR software follows the highest security standards to protect your organization and employees.