Two years later: GDPR forces HR to increase security
The HR industry works with personal data that can have enormous consequences if leaked, says compliance advisor. Driving licences, CVs and employees' personal information in particular have been hit by data leaks. Master International, one of Europe's leading providers of HR Assessment tools, has been one of the first suppliers in its field to work towards obtaining the strictest compliance declaration. “A subcontractor must live up to the GDPR”, says MHI Vestas.
Employers in Europe have now had two years to live up to the EU's General Data Protection Legislation (GDPR) since it entered into force on 25 May 2018. Hundreds of thousands of cases are running, and there have been penalties for several hundreds of millions of euros.
Within the HR industry, leaks of CVs and employees' personal data have primarily characterised the cases so far.
"A leak of HR data, such as personal information about employees and job applicants, can easily become the worst disaster a company will ever experience in terms of both fines and reputation", says Bo Thygesen, partner & consultant at ACI, an IT consultancy company that works within risk management and compliance.
The company has advised Master International in connection with achieving the strictest form of GDPR compliance: An ISAE 3000 type 2 which is an annual declaration on how to protect personal data, with externally audited documentation to ensure compliance with multi-measurement guidelines throughout the year – i.e. proof of compliance with GDPR guidelines.
Large companies and the public sector demand it
In order for the company to obtain the ISAE 3000 Type 2 declaration, Master International has spent several years on preparation, including an annual ISAE 3000 Type 1 approval for two years in a row while, in the past year, three employees have worked several hours each week to achieve the declaration. This is a necessity, says the CEO.
"Large companies require a guarantee of secure data processess from their suppliers. And our public sector customers have, within the last 1 ½ -2 years, seen it as preferable that we have a declaration that not only claims, but also proves, that we comply with the GDPR. When we had the slightly milder type 1 declaration, we had to answer a bevy of questions every time", says Jesper Broberg, CEO of Master International.
Master International is one of the very first providers of HR tests to achieve an ISAE type 2 declaration.
"We have chosen to get an ISAE 3000 type 2, to give our customers peace of mind as to whether they themselves, via their subcontractors, live up to the GDPR in their HR processes", says Jesper Broberg.
MHI Vestas: Compliance has become a must
MHI Vestas uses Master International’s partner in Denmark for recruitment which, among other things, includes personality tests of applicants.
"It provides a quick and good picture of who you are speaking to, and creates a good basis for dialogue", says Michael Storm, Head of Recruitment at MHI Vestas Offshore Wind, which has 3500+ employees and is a global player in offshore wind energy.
At MHI Vestas, GDPR was high on the agenda throughout the company for a period of approximately 1.5 years, both up to and after the directive came into force in 2018.
"All departments are affected, but HR deals with a lot of sensitive personal data, which means that the GDPR priority is above average with us," says Michael Storm.
"This means that it is a "must" to live up to the GDPR if you are to be a subcontractor with us. GDPR declarations, such as ISAE 3000, make it easier for us to assess it and clearly have a positive impact. If there is any doubt, the Legal Department will highlight the issue", he says.
Inforevision: Small businesses also prioritise it
Inforevision, that audited the Master International ISAE 3000 type 2 declaration, has experienced increasing demand since May 2018, and several factors drive the motivation for compliance.
"If you collect, process and store data on behalf of customers, we find that more companies want an ISAE 3000 type 2 declaration. Even the small companies. They see it as a competitive advantage, and their customers demand it. And they are reminded of the risk every time they read news about data leaks and penalties. So this is the way we see things going in the future", says John Richardt Søbjærg, Partner and Chartered Accountant.
FACTS: How Master International's ISAE 3000 Type-2 process was conducted
The IT consultancy and compliance company, ACI, planned a process of approximately 48 measurements that Master International had to perform repeatedly during the year. Some were performed weekly, some monthly, while others were performed every six months and annually. A measurement could, for example, be to check whether Master International's automatic deletion algorithm actually deleted the candidates whose information they were no longer allowed to possess.
Thereafter, Inforevision prepared a work plan that was uniquely adapted to Master International, with what documentation they wanted to see, and reviewed it. Then they stayed with the company for a few days and asked specific questions about topics that they would like to see documentation for on-site.
FACTS: What is an ISAE 3000 Type 2 declaration
A "type 2" declaration is harder to achieve than a "type 1", and the difference is primarily that a type 1 contains a snapshot of the design and implementation of the company's controls.
For a type 2, an external auditor audits whether the controls have been effective for a period of typically 12 months.