In these days of terrorism and world conflict, security concerns surround us every day and has forced us to become more diligent and aware of our personal safety. Look at Tunisia in 2015 and Manchester 2017! Physical security concerns are everywhere, but what about virtual security? We expose ourselves to it every single day through the web and social media. How many times do we view a web site or order information or a product online and just click on ‘yes’ or tick the box and scroll through to start the order process without reading the small print? Where is your personal information on the web? Spend ten minutes searching on Google and you’d be amazed what information about you is freely available. Imagine what an expert criminal could do with tools and facilities way beyond a Google search.
When you apply for or buy anything online these days the minimum asked for is your name, email address and date of birth. Many sites ask for more than that. Do you think about what you are giving away? Possibly, but then you still do it. What about this same situation in your professional life? How often do you think about the information your employer holds on you, where this is stored and who has access to it? Hardly ever, I suspect, which is likely because there are legislation, regulation, certification, standards and processes to follow. Safeharbor, European Data Directive EU 95/46, The Data Protection Act 1998 (UK), BDSG (Germany), Act No 78-17 (France) and many others are terms that you will hear in everyday business. These govern the safety of the data within borders and how your data can be used and stored. But how do we know these regulations are being adhered to? ISO27001, SSAE16, ISAE3402?
Is this all a foreign language? Then join millions of others. What does data security and privacy mean regarding HR and Payroll to you and your employees’ personal data? How can you ensure all is protected?
When handling data in your own IT environment, data and security would all be within your visibility and under your control. In modern business, however, the truth is that where economics and flexibility are considerations, everything is connected. Outsourcing is a common standard for many business processes. This includes HR & Payroll. Country HR & Payroll legislations, for example, are often so complex only industry veterans in-country could possibly have enough knowledge and experience to be able to keep you compliant. So, you rely on the experts, but how safe are they? Due diligence is the answer, right?
Imagine you’re a large international corporation with operations in many countries. You decide to outsource your EMEA payroll to a global or regional BPO who utilises a partner network to provide local expertise. As part of the transition you will be closing your local HR and Payroll operations and implementing a shared services approach through your SSC in Eastern Europe. Personal data will be moving from your secure local data bases and a global HR system into a cloud environment. The model looks something like the one below. Due diligence is needed to ensure that data will be safe and compliant.
The first thing that should be apparent is that you lose direct control of your data and the tools that protect it. You do, however, retain your obligations to your company, employees and other stakeholders (e.g., customers, partners, vendors) to continue providing that protection! After all, you can outsource processing, but you really can’t outsource risk. So what do you do and how much control do you need to maintain? For the control freaks and OCDs out there, here is a revelation: maybe not as much as you think!
To simplify this, imagine that the model above contains an in-country partner (ICP) as part of a larger global supplier network that your organization uses in its global agreement. The local ICP provides services of management and process control only. They are not the processing centre or primary data repository. Data storage is managed by the global supplier in a data center they either own or lease. Using these thoughts, let's consider the risks.
The big risk is data protection. There might be multiple storage and access points and varying links in between for transfer points. So you must focus on your Risk Profile. So what are the considerations? To better understand this, you should:
Define the Asset:
- What is being stored?
- What is its value or sensitivity?
Define the Vulnerabilities:
- Who is storing it?
- Where is it being stored?
- How is it being stored and transferred?
Define the Threats:
- When is it accessible and therefore vulnerable?
- Who has access?
- Have you followed your processes to determine exposures at any given point?
To answer these questions, many BPO Partners will present certificates, official memberships of trade associations and local data regulations as their defense. But is this enough? A level of due diligence is necessary to ensure the Partner has deployed a robust environment, that the certifications are sufficient, that they are doing what they say they are doing, and it satisfies you that they have a security and data protection strategy that meets your requirements.
Whether you start that due diligence with an RFI or RFP or simply research your options on your own by reviewing documents, making phone calls and arranging meetings for your information gathering, the considerations are all the same. Your due diligence has to follow a consistent pattern and, if assessing multiple potential partners, it needs to follow a common process.
We realize this may create more questions than answers, so in future articles we will look at where to focus your due diligence quest. How much trust do you put into certifications and documents? What do they really tell you? Where does the vulnerability lie and how can you can sleep easier in the knowledge that all is as secure as it could be? In the meanwhile, if you are struggling with your decision or have concerns about the privacy and security of your own current state, you're in luck, stay tuned for future articles.