Skip to content

You need a data protection policy – Here’s the basics


Cybersecurity threats and data breaches have become the rule rather than an exception for businesses. Do you have a data protection policy and
the necessary procedures in place to guard against this threat?

Your role as an HR professional requires you to handle sensitive data that can be vulnerable to disclosure.

The potential damage from a data breach goes beyond tarnishing your organization’s reputation.

The legal liability for data breaches and failure to comply with data privacy laws can incur prohibitive costs, including fines and penalties. Loss of productivity as the company recovers from a data breach and paying for investigation and remediation expertise add to the final tally.

As an HR professional, you’re a valuable partner to your organization’s IT department. From communicating the importance of information security to new employees to dealing with the potential information security issues every company faces, you play a vital role in keeping company information safe.

Protecting business data starts with a solid understanding of best practices in cybersecurity. Here’s what you need to know about and how to implement a data protection policy.

How do you build a data protection policy?

Data protection focuses on guarding information that, if inadvertently disclosed, could harm you or your business.

Personally identifiable information no longer only includes data like social security and driver’s license numbers. It’s expanded to a much broader concept, which includes:

  • Data you commonly might consider as private, such as your health information or banking information
  • Other data that begins to identify you, such as your computer’s internet protocol (IP) address and your web browsing history
  • The relationships you have with third parties and how you share data with them

Implementing a robust policy goes hand-in-hand with understanding your company’s data privacy compliance requirements for all types of data held.

Here are some best practices for protecting data:

1. Undertake a comprehensive inventory of sensitive data.

Work with your IT department to catalog where sensitive data is maintained in the business environment, both in on-premise applications as well as cloud-based applications. A full data inventory and tracking system will document what the business has and who can access it.

A detailed inventory of sensitive company data should include an analysis of:

  • Data on HR systems, like payroll, health and retirement benefits, employee records, etc.
  • Unstructured data that resides in email accounts, remote servers and company equipment
  • Who has access to edit or view the data
  • The volume and aging of that data

2. Develop guidelines and principles that codify the company’s data privacy protection policy.

This includes assessing your ability to maintain privacy and confidentiality of data on all systems.

Understand the company’s stance on data privacy by talking to stakeholders and subject matter experts across the organization. Be sure to ask:

  • What data will be collected?
  • How long will it be kept, and does that comply with the laws?
  • Is there limited data access that is monitored, or is that data openly available?
  • What measures will be taken to protect data?
  • Is the planned use of the data aligned with why it was collected?

3. Communicate the company’s data security policy across the organization.

Everyone should understand their responsibility. Use plain English to explain why compliance is required.

4. Update and maintain your inventory of data as new systems come online.

If your company acquires new technology, a new business or implements a new organizational process, it’s time to update the inventory and ensure your data privacy policies support the event.

What are the most common ways data is stolen, and how do you prevent data theft?

Most cybersecurity incidents can be traced back to human error. Training employees on the most common threats to company data should include actionable advice on what to do or avoid. Business technology solutions should help employees protect themselves from these threats.

Basic strategies for preventing data theft include:

1. Never open an unsolicited email attachment or unknown file.

Until you can verify it’s safe, just don’t open it. Safeguards, such as active virus scanning programs and anti-malware tools, can help as a first step.

2. Learn to spot and prevent phishing.

While many employees may recognize blatant phishing emails, cybercrime has grown more sophisticated.

A data breach can start with a phone call from someone pretending to be a customer asking innocent-sounding questions about the company and its operations, for example.

Stay on top of evolving phishing threats, so employees know what to avoid.

3. Require use of different and strong passwords for each account, and change them regularly.

A company-provided password management software can help employees with password practices. A user only needs to memorize one personal master password to gain access to their password list. Most password managers also track employee access to data across company systems.

A good rule of thumb: the more characters in a password, the harder it is to crack. A four-character password is simple to crack; a 14-character one is virtually impossible.

4. Establish processes to monitor your network for suspicious behavior.

Simple measures can help reduce unauthorized data use:

  • Use two-factor authentication to log in.
  • Require VPN access to company systems.
  • Set alerts for suspicious patterns of data access.

What do you do if your company’s data is stolen?

Time is of the essence once a company becomes aware that sensitive data has been stolen. Here are tips to keep in mind as you work to detect, assess, respond and recover from an incident.

1. Develop an incident response playbook.

A playbook should describe:

2. Establish a company central point of contact.

Have a spokesperson available to answer data breach concerns.

3. Immediately engage your company’s IT personnel about the breach.

If there is no IT department, consider hiring an IT security firm or consultant to assess the company’s computer network and address security weaknesses to prevent a future data breach.

Security specialists can also investigate the breach and collect information on how it happened and how much data was stolen.

4. Contact your company’s insurance provider, if you have cyber liability insurance.

A cyber liability policy will pay for some of the costs associated with responding to a data breach. Depending on your policy, this can include:

5. Be transparent with the appropriate authorities and parties concerned.

If there is no incident response plan in place to review, start by checking state and Federal data breach laws and notify those entities as required.

Report the data breach to local law enforcement or consumer protection agencies, if required by state law. Consider offering a credit monitoring service to customers.

You will also need to post an announcement on the company website about the data breach and notify impacted individuals if required by your applicable state regulations.

Data protection is essential for all HR professionals

Data protection is a fundamental component of an organization’s social responsibility in the digital age. It has become an essential compliance function for any organization that collects, uses or shares personal information or other potentially sensitive data.

Clients and employees alike place their trust in us to be good stewards of their data and how we handle its confidentiality. Managing this responsibility well has become a fundamental “table stakes” of doing good business.

If you’re handling data and looking to modernize your HR department, download and read our complimentary e-magazine: Derailed by data? The Insperity guide to HR technology