Employee Offboarding: An Introduction to Data Privacy and Compliance for HR and IT

The issue of data privacy has become a higher priority as the number of data breaches increases – along with the implications for organizations and HR departments. After all, tens of billions of personal data have been exposed in recent years.

Each breach prompts regulators to add safeguards similar to the European Union’s General Data Protection Regulation (GDPR), which came into effect in 2016. The GDPR has already led to fines for almost 1,000 organizations amounting to more than 1.25 billion euros. Amazon Europe takes the top prize, with a whopping € 0.75 billion levy.

Other high-profile companies that have imposed hefty GDPR fines include WhatsApp, Google, Target, Yahoo, Marriott, Equifax, and Facebook. GDPR also allows individuals to seek damages in court from anyone careless with their personal, health or other sensitive information records.

Similar laws exist around the world, such as the New Zealand Privacy Act and the California Consumer Privacy Act (CCPA). Others are coming, such as the Indian Data Protection Act and possibly a US Data Privacy and Protection Act.

“In addition to data security and protection standards, numerous government and industry regulations, such as the GDPR, tie down employee data,” said James McQuivey, VP and principal analyst at Forrester Research. “These complex regulations will increase, making it more difficult to determine what employee and personnel information you can collect and how to use it.”

Privacy and offboarding

With so many potential repercussions from privacy breaches, it’s no wonder HR departments are much more prominent in companies than they used to be. Employees are routinely assigned training regarding information sharing, data privacy policies, and security processes.

One of the biggest dangers related to privacy and data breaches in HR involves employee offboarding. It can be all too easy for a departing person to waltz out the door with a USB stick full of customer data, or retain access to certain systems, hoping to benefit at a later date.

A Past Identity Research found that 83% of former employees still had access to some company accounts. Unless HR is very thorough in the offboarding process, people can find ways to get into some systems. Another finding: half of companies don’t use automated processes to change user passwords when someone leaves, and only a third delete user accounts as part of the offboarding process. It should come as no surprise, then, that 25% of employees admitted to receiving customer information from a former employer. This ranges from customer contact and financial information to complete CRM databases.

“Employers should take security measures when offboarding, such as disabling email access, removing all privileges, disabling access to all applications, and asking employees to confirm that they have returned all corporate personal information and have not retained any corporate information said Uzy Hadad, Ph.D., founder and CEO of Privatelyan artificial intelligence (AI) based data protection and compliance provider.

In addition to disabling user accounts, organizations must follow applicable privacy regulations regarding retention of email data for prescribed periods and deletion of personal data to protect former employee rights.

“Employers may retain information about employees and the reason for termination, both as a legal obligation and as a means to protect themselves in the event an employee disputes the termination,” Hadad said. “Other data about the employee, such as information about a medical condition or private emails that are not necessary for a possible future legal dispute, should be deleted.”

Other data privacy and compliance rules may apply

The rules vary from country to country and region to region. Hadad pointed out that GDPR doesn’t say much about the details of data protection in the context of employment or termination of employment. The regulation allows Member States to set their own guidelines for the processing of employees’ personal data, both during and after employment, in accordance with Article 88 of the GDPR.

Meanwhile, in California, the California Privacy Rights Act (CPRA) goes into effect on January 1, 2023 and significantly changes the CCPA. It can be a minefield for employers if they don’t properly manage employee data.

“The CPRA will abolish the CCPA’s employee data waivers,” Hadad said. “All provisions on personal data will now also apply to employee data, including all rights, transparency obligations, impact assessment and rules on selling personal data and handling sensitive data.”

Using technology to address privacy and offboarding

IT and HR need to step up their policy enforcement efforts to prevent potential harm from departing or former employees. Organizations need to assess the data they have, the many places it resides, and how it applies to employee privacy and offboarding processes. For example, legacy systems should be checked for such data as part of a data inventory.

Other tools that can be implemented include encrypting employee data and anonymizing it via data masking. Localized cloud hosting can also be a way to avoid GDPR and other restrictions on transferring data outside of a geographic zone or across national borders.

Regular vulnerability assessments are another way organizations can ensure that employee data is protected. These should include third-party penetration testing.

“Vulnerability scans help identify multiple blind spots in data security, transmission, and weaknesses,” said Anastasios Gkouletsos, cybersecurity lead and data protection at HR platform Ubiquitous. “There are several vendors that can also help identify compliance gaps, but in general, the GDPR requires you to maintain a resilient IT infrastructure where your organizational and security measures work effectively.”

Endpoint security should therefore be an obvious priority for any business, especially those operating globally. Data privacy protection will only be effective if backed by security features such as firewalls, malware removal, ransomware protection, device management, password management, patch management, and corporate VPNs or other forms of secure connection. Don’t forget information security policies related to areas such as privacy, employee offboarding, access controls, change management, and data integrity.

Forrester’s McQuivey adds cloud-based Human Capital Management (HCM) solutions to the list of technology safeguards. Some modern HCM systems are equipped with features to prevent data privacy and data movement violations. However, when data is placed in the cloud, companies must ensure that it is only stored in permitted locations. For example, archived data is often dumped into cold storage layers in the cloud. This can lead to loss of control over the location. One active archive combination of open system applications and various types of disk and tape hardware includes features that monitor and migrate data across multiple storage devices, while maintaining fast user accessibility and keeping up with data privacy requirements.

Alternatively, the organization can use the cloud for applications while keeping all data locally to stay on top of compliance.

“Since data and applications don’t need to be geographically co-located, you can launch applications in the cloud, but keep the data the application needs on-premises,” said Steve Wallo, CTO of Close proximity.

Get used to complexity and regional variations

Dealing with privacy legislation is far from easy. Expect multiple states to adopt their own rules unless the US federal government approves something soon. This will add complexity, similar to the sales tax nightmare that businesses face (every state has a different sales tax rate and policy). Also worldwide, countries and regional authorities such as the EU will enact laws that affect certain areas. It’s up to IT and HR to stay on top of that.

“Today’s global patchwork of data sovereignty and privacy laws has made it more complicated than ever for companies to create consistent policies for data sharing, integration and compliance,” said Danny Sandwell, senior solutions strategist at Quest. “This will continue to have a significant impact on organizations’ ability to maximize the use of data within their IT infrastructure unless they establish clear plans for data integration and governance. By 2023, adopting greater data sovereignty and sharing laws will drive companies to invest in making their data visible and establishing clear plans for sharing and integration into their IT landscape.”