03/09/2015

By Chris Bruce, Managing Director of Thomsons Online Benefits

Think of data breaches and it’s often customer risk that springs to mind. Nevertheless, while companies are right to guard against the theft of customer passwords and credit card details, it’s essential they demonstrate equal care when dealing with employee data. With the EU preparing to reform its data protection legislation later this year, this is of critical importance if companies want to avoid financial and legal ramifications.

The past year has seen a flurry of security breaches, including the recent US government database breach, during which the personal information of at least 21.5 million people was stolen by hackers. Despite incidents like this highlighting the importance of data protection, many companies still have no set processes in place around how they handle employee data. This is extremely worrying when you consider how sensitive this data is. Hackers could potentially have access to staff home addresses, information on their dependents, their medical history, social security numbers, salary and bank details. Imagine if that happened to you. How violated would you feel knowing that a stranger held that many of your personal details and could use them in future to de-fraud you?

The fact that this data can be used for identity theft highlights the enormity of the problem. Indeed, the weight the EU places on this is evident in the fines proposed, which could see uncompliant companies cough-up as much as €100m or 5% of global revenue, depending on which is higher. With the Council of the EU recently reaching what it described as “a general approach” on the new Data Protection Regulation after a standstill of over a year, companies are fast running out of time to reform their data protection processes.

With this “general approach” established, the Council of the EU can now begin negotiations with the European Parliament and European Commission with a view to reaching overall agreement on the new regulation before the end of the year. These negotiations represent the most significant change to data protection in the UK and EU since 1995.

According to the Council of the EU, the proposed regulation will “enhance the level of personal data protection for individuals” and “increase business opportunities in the Digital Single Market”. It aims both to harmonise the current laws in place across the EU member states and to provide a higher common standard of data protection. As it is a regulation rather than a directive, it will be directly applicable to all EU member states without the need for national implementation of legislation.

While clearer regulation should be welcomed, there are certain aspects of the proposal that are likely to give UK companies a headache. In the UK, there is currently no legal requirement for companies to self-report on data breaches, meaning that your personal data could’ve already been stolen and you may not even know. Education – or lack of it – makes a significant contribution to this problem. Many of those involved in data transfer of employee data are simply unaware of the risk involved and the need to encrypt the data prior to transfer. We’re still hearing of excel documents and emails being used to transfer confidential financial employee data to insurers and pension providers. Even large multinationals, with well-established data protection processes, are failing to replicate best practice in smaller head count locations. This simply is not good enough. Data protection processes must be implemented universally. Companies have a duty to their employees which includes protecting their sensitive data, no matter where they’re based.

For many companies, compliance will mean a complete overhaul of their data protection procedures before the regulation is implemented. Even companies with fewer than 250 members of staff may need to consider hiring dedicated information security officers to take on the responsibility of protecting employee data. If not already planning for this, organisations risk becoming unstuck when the proposed legislation comes into force.

It is not just a case of reviewing internal processes. Under the new regulations, any company or individual that processes data that can be used to identify an individual will also be held responsible for its protection, including third parties such as cloud providers. This means that while third parties will need to be extra vigilant, it’s the data owners that will ultimately be responsible for properly vetting all organisations that handle their data. If proper checks are not done, then they will be negligent and be held responsible for any losses an employee suffers as a result of a breach. Ensuring that data is stored in a private cloud is one of the ways employers can protect themselves from this. Any third party cloud provider should know where your data is located at all times and ensure that no data leaves that location unless instructed to.

Organisations need to think about how they can protect themselves in every way possible, and using an employee benefits portal to automate data processes is one way to do this. There is a wealth of information that companies need and hold to determine benefit eligibility, including medical history and number of dependants. Using a benefits platform will help organisations remain compliant in their handling of such sensitive data by removing the risk of manual error and adding a data security wrapper around its transfer. It also allows for data to pass between an organisation and a third party securely and that the technology environment is globally consistent.

It is worth noting that organisations using cloud providers based outside the EU will be subject to the same rules. In fact, the most recent negotiations concluded that organisations transferring personal data on EU citizens outside of the European Economic Area will be subject to even tighter regulation.

The next meeting of the “trilogue”, the European Commission, the European Parliament and the Council of the European Union, is scheduled for September. While the changes introduced by these new requirements might initially appear a burden, compliance means that employees will be far more in control of their data and that the chances of data loss will be greatly reduced. The most important piece of advice I’d give employers is act now – and be prepared.