Employee data is one of a business’s most valuable assets, yet solution security is now something that many people take for granted and that it should be automatically addressed. But ask yourself the question ‘Do I really know how our HR software is protecting our employee data?’, if the answer to this is no, you might want to start learning more about how you are protected.
When it comes to employee data protection, you can never know too much. The more you know about how your valuable data is protected, the more you can rest easy knowing your data is in secure hands.
4 Questions to Ask Your HR Provider
It can be quite confusing choosing what questions to ask when evaluating a HR solution’s security, especially for those that don’t deal with security issues often. That’s why we have compiled a list of 4 questions to help you find out if your HR system is protecting your employee data effectively.
1. Are you ICO registered?
It is a legal requirement for any organisation in the UK that’s processing personal data to be registered with the Information Commissioner’s Office (ICO). This should always be the first question you ask as it is the most basic check you can make.
However, just because the organisation is ICO registered does not mean they are secure, it only confirms that they are at least aware of their legal security responsibilities. You can check whether an organisation is ICO registered through this search tool.
2. Are you ISO27001 accredited?
This question is a deal-breaker, if your HR software supplier is not ISO27001 certified, seek to switch providers immediately. ISO27001 sets the international standard for information security management and is difficult to achieve. Only organisations that have their internal systems tested by external auditor ensure their information security processes are up to industry standard.
Unlike the ICO, there is no central registry for organisations that are ISO27001 certified. This means that you will have to verify their accreditation yourself using the steps below:
Request their registration certificate. Any organisations that is ISO27001 accredited will have a copy of this certificate showing you the accrediting body, valid to and from dates and the full scope of the accreditation.
Check the scope. Does it cover your personal data? Ask the organisation in questions for a scope definition with explicit coverage from its HR software.
Find out which accreditation body awarded the certificate. Anyone can recommend a company for ISO27001 accreditation so it’s important that you ensure they are recognised by their country’s government. For example, the main accreditation provider for the UK is UKAS.
Verify the certificate. The best way to do this is to call up the accreditation provide and ask them to verify if the HR software provider in question has the accreditation.
If you are in contact with an organisation as open and friendly as Edays they will be more than happy to provide it on request. You can find our certificate here.
3. Where do you store our data? Is it reliable?
At this point, you may be sure that your employee data is being dealt with appropriately. However, your checks so far have only covered the HR software provider directly. Not the data centre or cloud they use to store your data. You will need to verify that the data centre they use is also ISO27001 accredited as well as your HR software vendor. You will want to check the following about the data centre:
– Backup and recovery procedures
– Disaster recovery plans
– Penetration testing
– Cloud or data centre?
Edays store all of our data on the market-leading Microsoft Azure platform to ensure both our own and all our customer data is protected with the most modern technology and processes.
4. Do you have regular penetrations tests?
As security technology within HR solutions continues to evolve, so do the methods of breaking this security down. To keep on top of these changes regular penetration tests are required to put the system under pressure, exploiting any potential weakness that hackers could use to steal your data.
Make sure your HR software provider can tell you which company they use to conduct these tests and they are reputable.
These four questions should ensure your HR system is storing your data safely and it is your responsibility to ensure your employee data remains in safe hands. Employee data is one of your most valuable assets and should be treated as such.
If you would like to know more about our security, head over to our security page.
Free report: Discover the risks of employee absence on your company & benchmark against your industry leaders.
Chris is Chief Technology Officer and co-founder at edays. He has over 15 years of experience in developing industry-leading web-based applications with a broad, in-depth knowledge of IT and a true passion for solving problems through the use of technology.