This level of detection work requires collaboration across an organisation to keep everyone vigilant for red flags. “While the technology is available to automate privileged access management, closer collaboration between HR officers and IT administrators can also pre-empt malicious activity and provide an additional layer of security,” says Lindner.
“HR should build strong partnerships with their internal risk management and IT security department, as well as with their legal teams, and engage them to spot issues when HR is procuring new software or other tools, given most HR applications process or store personally identifiable information,” agrees Black Duck’s Meier.
This is a level of vigilance that Oliver Allanach, solicitor and employment law expert at law firm Gordons, also promotes, noting that with the use of third-party IT platforms—payroll management, recruitment, employee engagement and so on—employers remain the responsible "data controllers" of the personal data used. “This means employers have overall responsibility for safeguarding employee data,” he says. “These duties cannot be contracted out to external providers, although risk can be managed contractually depending on the negotiating power of each party. As a result, employers and HR teams must take care when using others to manage employee data. Even if you are working with a market leader, this does not guarantee that data will be totally secure.”
One of his top recommendations is to conduct due diligence. “Data privacy laws allow data controllers a reasonable right of audit of third-party processors,” Allanach says. “Depending on the contract terms, this can range from a comprehensive right of audit through to third-party security certifications. This is a useful right to invoke to ensure contractual compliance.”
What this complexity comes down to at the end of the day is a good data protection policy (DPP) as recommended by Daniel Milnes, partner at Forbes Solicitors. “A well-developed DPP will cover key elements of how data is collected, used, stored, accessed, and shared,” he says. “This will take into account any local laws and regulatory requirements governing data protection and will assess the varying threats to data security. For these reasons, creating a DPP acts as a valuable first step towards risk mitigation, enhancing compliance, and promoting best practice.”
Research from CyberArk finds that 65% of employees often bypass cybersecurity policies to make their lives easier, and 38% either “sometimes” or “never” adhere to guidelines on handling sensitive information when using AI tools.
However, as with any other policy, its ultimate strength will rest in the extent to which it is understood, observed, and implemented. Otherwise, this simply represents a description of what should be happening rather than delivering any real protection.
“Once a DPP has been created, it’s important that HR communicates the policy to staff,” asserts Milnes. “This helps ensure all parties understand their roles and responsibilities in terms of data management and security, and take it seriously, if staff don’t comply.”