Skip to content

An HR professional’s guide to data privacy compliance and security

As an HR professional, you work daily with sensitive, highly confidential employee and business data. But how knowledgeable are you about HR data privacy compliance and security?

Think about every data point you regularly touch regarding employees (Social Security numbers, salaries, health care and retirement plans, background checks, etc.) and proprietary business information (customer data, mergers and acquisitions, planned layoffs, etc.).

You may be familiar with high-profile, large-scale breaches and their impact. Information on more than 140 million Americans was stolen from Equifax, one of the nation’s largest credit reporting companies, in 2017. Target, one of the largest U.S. retailers, had up to 70 million customers’ data hacked in 2013. Anthem, an American health insurance company, had nearly 78 million American’s medical data stolen in 2015.

But what about the inadvertent disclosure of personally sensitive data? What about the time when a manager sent a performance evaluation to another employee? Or when a sales representative sent a different company’s information to another client?

In all of these cases, if that information gets into the wrong hands, that’s bad news for everyone involved. This can lead to enormous liability – both legally and for the business’ reputation.

To mitigate the most important consequences of a sensitive data breach, you should undertake two parallel efforts: Ensure compliance with state and federal laws, and advocate for data protection best practices.

Here is what you need to know about ensuring compliance with data privacy laws and maintaining HR data protection practices.

What state and federal laws govern HR data privacy compliance?

HR professionals have many responsibilities, but none as important as their duty to protect employees and the company. That means they must take on a much different role than in years past and understand what federal and state laws apply to your company when it comes to data privacy compliance.

The U.S. lacks a comprehensive federal law regulating how personal information is collected and used. Instead, it regulates how specific sectors must handle sensitive information.

State laws vary in how they address data breaches, generally, and sensitive data, specifically. Look to state laws as they apply to your company. Newly added state laws may also overlap with other laws.

State laws may have additional requirements and restrictions on how employers use, store and transmit employee information. An employer’s liability for data breaches vary state by state

California and Massachusetts, for example, have been more active than other states in passing data privacy legislation so they have more compliance requirements.

How do you stay compliant with federal and state laws?

A robust HR data protection strategy starts with checking state laws to ensure that the company is in compliance with the relevant data privacy laws.

1. Understand what state, federal and international laws apply to your business.

Because the U.S. “patchwork” system of federal and state laws and regulations is constantly changing, you should be aware of relevant pending bills on data privacy and security. Consider setting automated alerts to stay up to date on news of new cybersecurity and data protection laws.

2. Assess your company’s compliance requirements by industry, location, clientele and types of data processed.

Not only do the governing bodies and regulations vary by state, but it also varies by industry.

For example, a financial services company licensed in New York must comply with specific state laws about cyber preparedness and protecting personal privacy data.

Or, a business operating only in the U.S. will face different compliance requirements than a global consumer-facing organization with physical stores and online commerce.  

3. Build and share your knowledge base.

Become well versed about these matters to help inform employees and clients about their data privacy rights.

The more you understand data privacy, the more effective you will be in advising leadership on how these regulations impact a company’s business.

4. Help set expectations with staff

Stress the importance of protecting sensitive information and what it means to adequately balance individual privacy concerns against the requirements of running a business. Create a culture of compliance with expected data privacy best practices.

5. Maintain transparency in the process

Work to build trust with all the constituents of a business – employees, clients, third parties and vendors.

Taking this approach requires HR professionals to go beyond knowing employment laws or understanding the cybersecurity focus of most IT professionals. Viewing data privacy and compliance through the lens of relevant laws and regulations will help inform HR professionals on where HR data should be kept and how best to store and protect it.

Data protection is essential for all HR professionals

Data protection goes beyond a corporation’s social responsibility in a digital age. It has become an essential compliance function for any organization that collects, uses or shares personal information or other potentially sensitive data.

Clients and employees alike place their trust in us to be good stewards of their data and how we handle its confidentiality. Managing this responsibility well is a fundamental piece of best business practices.

If you’re looking to modernize your HR department, download and read our complimentary e-magazine: Derailed by data? The Insperity guide to HR technology.