Is your HR software provider keeping employee data safe?

July 19, 2017

Is your HR software provider keeping employee data safe

With GDPR right around the corner, it’s more important than ever for your HR software supplier to take security seriously. Do you know how they handle your sensitive employee information? Or where they store it?

Why you should care about this

If you employ people, then General Data Protection Legislation is going to affect your company. And while you might feel like burying your head in the sand, you shouldn’t – failure to comply could lead to expensive fines, confiscated equipment, and even forced company closure.

Besides, your employees want to know how safe their personal information is. So before you make a decision – a decision that affects their own sensitive data – would you not want to be sure that you can tell them, with your hand on your heart, that you have checked out the vendor, and that their information is safe?

The ability to show employees how their information is being handled is a key part of GDPR, by the way. So instead of hiding from phrases like ‘information security’, read the following checklist. It will take you ten minutes to digest, but could give you peace of mind for the rest of your career.

1. Is your HR software vendor ICO registered?

In the UK, any company processing personal data is legally required to register with the Information Commissioner’s Office (ICO). This is the first, most basic check you should make.

ICO registration is not a guarantee that your HR software supplier takes security seriously. But it does confirm that they are at least aware of their legal responsibilities.

It’s easy to check if a company is ICO registered. Simply enter their ICO registration number, or their company name, into the ICO’s registration search tool.

2. Is your HR software vendor ISO27001 accredited?

If ICO registration is the most basic way to demonstrate commitment to information security, then ISO27001 accreditation is the most advanced. ISO27001 sets out the international standard for information security management, and is very difficult to achieve.

Any company wishing to become ISO27001 accredited will need to have their internal systems rigorously vetted by an independent auditor.

Note: Some providers will claim they have ISO27001 accreditation by association – because their chosen data centre has the accreditation. While this does mean your data is being stored in a safe place, it doesn’t necessarily mean that your HR software provider is handling your data with care. Make sure you ask your supplier to show you their own company certificate.

Verifying that a vendor is ISO27001 accredited is a little bit more complicated than checking registration with the ICO. But it’s possible! Let me show you how:

How to check if a company is ISO27001 certified

Because there is no central register, you’ll have to verify your supplier’s ISO27001 accreditation manually:

  1. Request their registration certificate. This should show you the accrediting body, the valid from and to dates, as well as the full scope of the accreditation.
  2. Check the scope covers your personal data. The scope determines which areas of business the accreditation covers. Make sure it covers the area dealing with your employee data! You’ll want the scope defined as something like this: “The management of information security in providing online Human Resource Management software and services to its customers.”
  3. Find out which accreditation body awarded the certificate. Anybody could technically recommend a company for ISO27001 accreditation – but not everybody is recognised by their country’s government. For example, in the UK, the only recognised accreditation provider is UKAS. Look for the UKAS badge on your vendor’s certificate.
  4. Call the accreditation body to verify the vendor’s certificate. You’ll want to make sure the certificate is genuine. Give the accreditation provider a call, and ask them to verify that your HR software vendor has the credentials they are claiming.

This shouldn’t take you very long. And if the certificate checks out, then great news! You now know that your HR software supplier is treating your employee data with care.


3. Where are they keeping your data?

You’ll want to make sure that your data is not being hosted anywhere that would breach data protection legislation. For example, most companies bound by GDPR should not be moving personal data outside of the European Economic Area.

Remember that GDPR will come into effect from May 2018 – you should be acting now to make sure you’re prepared.

Do you know where your HR software supplier stores your information? If not, find out – ask where their data centres are located, and where your data is moving to and from.

4. Is the data centre reliable?

It’s really important that your HR software supplier chooses a data centre with a great reputation, and impeccable credentials. For example, you’ll want the hosting provider to be ISO27001 accredited – as well as the HR software vendor themselves.

You’ll also want to know things like the data centre’s backup and recovery procedures, as well as their other disaster recovery plans – i.e. the measures they take to protect against, or bounce back from, server damage or corrupted data. Reliable names in secure data hosting, such as Rackspace or Pulsant, will have extensive documentation on their full array of security procedures.

Remember too that the security of a data centre is about more than just strong encryption and their ability to withstand cyber-attacks. Reliable data centres should also have a physical security presence on-site, to prevent damage or stolen data resulting from trespassing or vandalism.

5. Does your HR software vendor commission frequent penetration tests?

It’s one thing simply declaring that a system is secure. But has your HR software supplier done anything to test or prove this?

Regular external penetration tests are designed to put a system under pressure, and probe for any weaknesses or exploits that hackers could use to steal your data.

Make sure your HR software vendor can tell you which company they use for penetration testing, and how often they commission these tests. Ideally, you should be looking for reputable security names, such as NCC Group or Pen Test Partners, as you can be sure they will carry out thorough tests.

Your employees deserve to know that their data is safe

Look, it shouldn’t take a huge shake-up like GDPR to make you think seriously about the security of your employee information. Your employees deserve to know that their sensitive data is being handled with care. But maybe GDPR is serving as the kick up the back side we all need.

Whether you’re investigating HR software for the first time, or whether you’ve been using it for many years, set yourself a challenge right now: Ask your vendor, or your potential vendor, about each of the five points above.

Make it your personal responsibility to ensure employee data remains in safe hands. Do your due diligence.

Stay ahead with HR

Get free HR insights, expert tips and exclusive interviews, and start making more impact at work

Please enter a valid email address

See People HR in action

View our short video demo

Get started absolutely free

No credit card required

Talk with an expert to learn how People HR could help your organisation