12 best practices for HR data compliance

Commonly applicable national, international employee data laws

Many countries and areas within them, such as states and provinces, have passed legislation requiring companies to protect their employees' personal data. These laws outline required practices when handling and sharing employee data, such as restrictions on who can see different types of data, acceptable storage methods and rules for data retention.

HR leaders should confirm if any of the following laws affect their organization. Multiple laws might apply to global companies with employees living in more than one country.

General Data Protection Regulation

The GDPR is a regulation developed by the European Union that dictates how companies can collect, use and dispose of personal data in a professional setting. The regulation's definition of personal data encompasses any personal data about an employee.

Many countries have implemented variations of this regulation following the GDPR's release in Europe.

California Privacy Rights Act

Under the CPRA, companies must tell workers who live in California about the personal data gathered by the organization and the way that the company is utilizing that information.

Companies must share an alert about their policies related to sharing or selling data and data retention, among other policies.

Personal Information Protection and Electronic Documents Act

PIPEDA is Canadian legislation that dictates how private-sector companies can collect, use and share employee data.

One of the requirements of the act is that organizations must obtain permission from an employee to gather the employee's personal data.

12 best practices to uphold HR compliance of employee data

HR leaders should make sure their department is following these data compliance best practices.

1. Share data rules with employees

Employee training is one of the most important steps a company can take to ensure HR data compliance, and the education can range from training HR staff members to teaching employees outside HR about compliance.

HR staff who are overseeing the compliance training should consider that different employees may have different data training needs. In addition, compiling short guides for workers to refer to when needed could be helpful for employees learning about compliance.

HR should schedule follow-up data training every year and consider adding sessions if significant changes are made to laws affecting employee data.

2. Carry out audits

Performing regular audits helps identify data compliance issues before they become a bigger problem.

Data compliance audits might require HR staff to confirm that the compliance training material is still accurate, which is especially critical if laws or employee contracts have recently changed. HR staff should also confirm that employees have completed the necessary data compliance training.

The HR team may also want to audit their HR systems, such as validating log-ins, changes made to employee information and security settings. Since many HR systems provide an audit log that tracks many actions that can be taken within the system, this log can be reviewed to look for issues and anomalies.

3. Involve IT and legal if needed

The IT and legal departments can each bring expertise to the topic of data protection. Members of the legal department can confirm that the company's training and policies adhere to the laws applicable to the company, and they usually become involved if problems arise or if employees have questions that a member of the legal team must answer.

The legal department might also get involved when the company is buying new software, as members of the legal department might confirm that the locations of the vendor's data centers are compliant and review the vendor's data privacy policies.

Of course, IT is also involved when acquiring new systems, and IT staff often confirm that new software upgrades comply with data policies.

4. Encourage secure data sharing

HR staff must emphasize to employees the importance of only sharing information through the proper channels.

All employees must avoid sending confidential information through insecure channels, such as email. Instead, employees should share sensitive data using tools that limit who can see the data.

Organizations that operate in highly confidential industries, such as the military, may require additional data safeguards. Employees in these fields may not be allowed to use USB keys or other devices that would allow an employee to download confidential information, such as a co-worker's home address.

5. Remove system access for terminated employees

HR staff must work with IT and any other applicable departments to ensure that employees who leave the company lose access to all systems.

Revoking former employees' access to confidential information helps protect the company and removes any risk of a former employee misusing confidential data.

6. Restrict access to confidential data in HR systems

When assigning roles to employees, or developing new roles, the system administrator needs to make sure that the employee receiving the role only has access to the fields and data they require. For example, some employees in HR don't require access to an employee's Social Security number, therefore the field should not be available.

Also, access to data can be limited to what is required for a person to perform their duties. As an example, an HR team member might only require access to confidential employee data for certain states, but not all employees in the U.S.

7. Mask confidential data

Many HR systems will allow for masking confidential information by default. This can apply to data on screen or in reports. For example, an employee's Social Security number might appear as XXX-XX-#### where the last four digits appear by default, but the first five digits are replaced by an X unless an action is taken to unmask them. Some systems will even use multifactor authentication (MFA) when someone unmasks a confidential field to confirm that the intent is to view the data.

8. Force password changes and MFA

Forcing employees to create strong passwords that must be changed on a regular basis helps protect against data leaks. Also, using MFA adds an additional layer of protection from unapproved access to confidential data.

9. Keep virus scanner and anti-malware software up to date

It's important that each employee's laptop or computer is protected with up-to-date software to limit unauthorized access. In many companies, the IT department is responsible for installing and maintaining the software, and can force updates remotely to maintain compliance. However, if an employee is accessing HR systems from a personal computer, such as one at home, they must ensure that the system is properly protected before logging in.

10. Get approval before sharing confidential data

When an employee requests access to confidential information, there should be an established approval process in place. These requests might be for reports that contain confidential information, or enhanced access to HR systems. The approval might come from the employee's manager or the HR leader depending on the nature of the request.

11. Avoid using confidential data as a unique identifier

To share data between systems or to use lookups in spreadsheets, HR should use a unique identifier for each employee. This allows each system to know whose data is being updated or requested. The ideal ID to use is the employee ID that is assigned to each employee in the HRIS, since these are unique and don't change. While Social Security numbers are also unique, they are confidential and should only be used for official purposes.

12. Ensure extra protection when traveling

Working with IT, HR should make sure that devices employees use when travelling are equipped with the proper protection and security measures, especially since employees might go on open networks. Devices often come with VPN or other applications to add a layer of security.

Eric St-Jean is an independent consultant with a particular focus on HR technology, project management, and Microsoft Excel training and automation. He writes about numerous business and technology areas.