Part of doing business in the HR side of any company is dealing with sensitive information from employees. You have to gather identification cards, bank accounts, social security numbers, and several other sensitive pieces of information. When you hire an employee, it becomes your responsibility to ensure that you use their personally identifiable information (PII) correctly and protect it from prying eyes. In this post, we’ve consolidated the common precautions to make your international data management more secure so you can protect your employees’ information.
In many countries, protecting your employees’ data is not just an ethical mandate, it’s also a legal one. Globally, countries have a patchwork of laws protecting different pieces of data with different requirements and penalties. As a rule, countries only protect by law PII.
PII can be any identification datum that can be linked to a living individual, such as a name or social security number. Sometimes it refers to several data points that can identify someone when linked together, such as a birth date, gender, and postal code.
Violating data protection laws can lead to severe penalties. Fines for violating HIPAA privacy in the United States range from $100 to $50,000 per incident. If someone knowingly and intentionally violates privacy, there can even be criminal prosecution. Agencies in France, Spain, and Germany have delivered fines of more than €1 million and even some criminal penalties. Employees may also sue a company that is negligent in protecting their employees’ data, as some did following Sony’s famous hack in 2014. And we are still investigating the now infamous 2017 US Equifax security breach affecting hundreds of millions of people. The US Congress has already conducted four hearings related to Equifax and data breaches in the first week of October 2017, which just happens to be cybersecurity awareness month.
One of the ways to mitigate your risk is to limit the amount of information you collect and send. You can’t mismanage data that you don’t store. Consider what information you collect when you hire a new employee. Ask yourself, what is the minimum amount of information you need to integrate the employee into the business and pay them on time?
You also don’t need to send the employee’s complete file every time you use their information. Develop regulated and replicable systems within the company so you only send the data necessary to accomplish a task.
The more eyes that see your employee data, the more likely a breach can occur. The easiest way to mitigate this risk is to limit the number of people who have access to other people’s secure data. Regularly evaluate how you use this data and who has access to it so you can adjust who has access to what information. Include a process to dispose of sensitive information when you no longer need it. Keeping employee information when you don’t need it only adds unnecessary risk.
There have been many high-profile hacks of major corporations in recent years. While you may worry about a hacker’s sophisticated methods to breach your expensive security system, the easiest way to your employees’ private information is through another employee.
On March 19th, 2016 Hillary Clinton’s campaign manager received a phishing email purporting to be an alert from Google. Through a series of mistakes, he believed it was a legitimate email, so he followed the link and entered his password, giving access to his private email to nefarious persons. Had John Podesta followed simple security training, he would have recognized the scam and kept his information safe.
No one wants to follow in Podesta’s footsteps. You should train your employees in basic information security practices:
• Recognize scams and phony emails
• Instead of sending PII in the body of an email, attach it in a file, preferably an encrypted one
• Use secure connections and networks, such as a virtual private network (VPN), and avoid using public WIFI
• When uploading PII to a website, ensure that the site is secure
• Get a SOC1 From Third Party Service Organizations
If your company is like most, you outsource some or all of your international payroll systems. No matter how good your international data management system, it won’t protect you if your payroll provider doesn’t have robust protections.
A SOC 1 report is the best way to see how a service organization manages the information you give them. In the report, executives of the service organization describe their internal controls to show how they protect your employees’ personal data. Then, a third-party auditor examines those controls to assess whether they accomplish it. Ask a potential service organization for a SOC1. It will show that they are serious about protecting your employees’ sensitive data.
To learn more about how to protect your employees’ sensitive data, especially data acquired during the payroll process, contact a member of our team today. We take the necessary precautions to ensure your team members’ information is safe and secure, preventing it from falling into volatile hands. We’d love to tell you more about the benefits of working with a secured international payroll provider. Get in touch today!
**This article is for informational purposes only. It is not intended to constitute legal advice.