Traditionally, HR policies include gross misconduct, disciplinary procedures for theft, tardiness or poor performance, but what if a laptop or tablet device goes missing with sensitive information on it?
These archaic policies tend to focus on employees actions rather than technology issues, which are often left to the IT department. The way employees work is being shaped around these new devices and HR needs to move with the times to encompass these new threats.
Review your data protection policy
Every large organisation needs a data protection policy, but often this policy can be signed off and forgotten about. The legislation concerning data protection may not have changed much in the last few years, but the good practices have. This should prompt a constant review of this policy to ensure that it still corresponds with the law. Ensure that information is fairly and lawfully processed.
It's crucial that the information stored is up to date, relevant and not excessive with nothing being kept for longer than necessary. Sensitive data also needs to be processed with each individual's rights in mind with nothing sent outside the EEA (European Economic Area) without adequate protection.
When a new employee arrives it is important that the relevant checks are taken to ensure that an employee is right for the business. During the employee's time at the company, his/her access to information, whether it is through company hardware or personal devices also needs to be monitored.
Additionally, when an employee leaves an organisation, it is vital that there is a sufficient exit strategy, which takes into account the devices and IPR that they need to hand back to the company.
In event of a data breach
Even with a comprehensive data protection strategy in place, the human factor will always be the weakest link. When a breach happens there are a number of points that HR managers need to consider. When a breach occurs it is important for HR to ensure they have current contact details of the employee/s involved in the breach and the areas of the business affected. From here, the correct support can be provided to the employee/s (assuming the breach is accidental).
It's vital that there is an Incident Management function to triage the breach and support those affected when a breach occurs; HR need to play a big role within this to support the Investigatory stages of the response. Notifications should also be made to customers that may be affected by the breach. If necessary, regulatory bodies and legal departments should also be informed to provide advice.
Affected line managers should be supported to understand the seriousness of the data breach and how it may affect business activity. In order to minimise the risk of a breach from occurring there are a number of pre-emptive measures that can be considered by businesses. In order to avoid corrupt behaviour within an organisation, HR managers must the monitor disciplinary and performance records of employees from the start to the end of employment, with any suspicious behaviour highlighted to the appropriate management staff.
Employees should be vetted regularly to ensure that changes in circumstances are found and brought to the attention of the company. Companies should also consider a helpline for anonymous support and notification of breaches, with enforced, relevant training for all employees that is up to date to coincide with business activity.
Christian Toon, head of information risk, Iron Mountain
