The HR industry works with sensitive data that can have enormous consequences if leaked, says a compliance advisor from ACI. Several breaches of employee data the last few years shows HR is vulnerable. According to MHI Vestas, an offshore wind energy enterprise, compliance is a must. One of Europe’s leading HR assessment tools providers, Master International, the trend points to HR departments choosing subcontractors that are ongoingly audited.
Employers in Europe have now had two years to live up to the EU’s General Data Protection Legislation (GDPR) since it entered into force on 25 May 2018. Hundreds of thousands of cases are running, and there have been penalties for several hundreds of millions of euros.
Within the HR industry, leaks of CVs and employees’ personal data have primarily characterised the cases so far.
In April, General Electric’s (GE) subcontractor Canon Business Process Services was the cause for a breach of personal information about GE’s current and previous employees – e.g. social security numbers, scans of birth certificates passports and driver’s licenses etc.
“A leak of HR data, such as personal information about employees and job applicants, can easily become the worst disaster a company will ever experience in terms of both fines and reputation”, says Bo Thygesen, partner & consultant at ACI, an IT consultancy company that works within risk management and compliance, primarily for the financial sector but recently also HR.
MHI Vestas: Compliance is a must and ongoing audits helps us choose partners
MHI Vestas uses Master International’s partner in Denmark for recruitment which, among other things, includes personality tests of applicants.
“It provides a quick and good overview of who you are speaking to, and creates a good basis for dialogue”, says Michael Storm, Head of Recruitment at MHI Vestas Offshore Wind, which has 3500+ employees and is a global player in offshore wind energy.
At MHI Vestas, GDPR was high on the agenda throughout the company for a period of approximately 1.5 years, both up to and after the directive came into force in 2018.
“All departments are affected, but HR deals with a lot of sensitive personal data, which means that the GDPR priority is above average with us,” says Michael Storm.
“This means that it is a “must” to live up to the GDPR if you are to be a subcontractor with us. GDPR declarations, such as ISAE 3000, make it easier for us to assess it and clearly have a positive impact. If there is any doubt, the Legal Department will highlight the issue”, he says.
Master International: Large companies and the public sector demand it
Master International has achieved the strictest form of GDPR compliance: An ISAE 3000 type 2 which is an annual declaration on how to protect personal data, with externally audited documentation to ensure compliance with multi-measurement guidelines throughout the year – i.e. proof of compliance with GDPR guidelines.
In order for Master International to obtain this strict compliance declaration, the company has spent several years on preparation, including three employees who have worked several hours each week in the past year. This is a necessity, says the CEO.
“Large companies require a guarantee of secure data processes from their suppliers. And our public sector customers have, within the last 1 ½-2 years, seen it as preferable that we have a declaration that not only claims, but also proves, that we comply with the GDPR. When we had the slightly milder type 1 declaration, we had to answer a bevy of questions every time”, says Jesper Broberg, CEO of Master International.
“We have chosen to go through with this, to give our customers peace of mind as to whether they themselves, via their subcontractors, live up to the GDPR in their HR processes”, says Jesper Broberg.
Inforevision: More choose ongoing audits
Inforevision, that audited the Master International, has experienced increasing demand since May 2018, and several factors drive the motivation for compliance.
“If you collect, process and store data on behalf of customers, we find that more companies want an ISAE 3000 type 2 declaration. Even the small companies. They see it as a competitive advantage, and their customers demand it. And they are reminded of the risk every time they read news about data leaks and penalties. So this is the way we see things going in the future”, says John Richardt Søbjærg, Partner and Chartered Accountant.