Not many HR managers are technology experts – and why should they be? Nonetheless, the HR industry has suddenly become a hot market for new IT applications. The analyst firm Bersin by Deloitte reported earlier this year that over the next 18 months, nearly 60% of organisations are planning to implement new HR or talent management systems.
Many are replacing applications run on corporate infrastructure with those delivered by the cloud and as a service (SaaS). As a result, instead of relying on the IT department, HR can now download relevant applications on demand and pay for them as an operational overhead.
This has created a momentum of its own. The cloud has brought new functionality such as the ability to capture and analyse huge quantities of data. But the more it allows HR teams to do, the more they want to be able to do – and so even more applications are developed to raise the bar even further.
Overall these advances have been good news for HR; for example, in areas such as job application tracking, cloud-based applications are enabling teams to significantly cut recruitment costs while still managing their brand reputation. But despite these benefits, many HR managers are left with one worry that was previously shouldered by the IT department; the question of security.
It’s an understandable concern. It comes at a time when HR departments hold more sensitive employee data than ever before. Many receive far more applications than they have vacancies and so these data volumes are rising. This is particularly the case with those running large-scale recruitment or graduate trainee schemes. For example, one of our customers, Deutsche Bank, receives tens of thousands of applications from across the globe for its annual graduate intake to fill a relatively small number of positions. But all this data must be carefully stored and managed in compliance with global data protection requirements which vary across different regions worldwide from the US to the UK and from Europe to China.
The UK Information Commissioner’s Office (the ICO) , which is responsible for implementing the Data Protection Act (DPA), has produced a very useful document on the topic entitled Guidance on the Use of Cloud Computing. It states “… it will be the cloud customer who will determine the purposes for which and the manner in which any personal data are being processed. Therefore, it is the cloud customer who will most likely be the data controller and …. have overall responsibility for complying with the DPA.”
So how can an HR manager, lacking the specialist background and expertise of their IT counterpart, ensure this security? Or if the IT department is still managing procurement, how can HR ask the right questions to ensure the chosen provider meets their standards?
At this stage many might yearn for the past when confidential data was held under lock and key. However, these days, this information needs to be constantly updated and quickly available in a straightforward format to authorised users at any time and from any location. So how do you balance this demand for transparency and accessibility with the intensified need for security?
With a public cloud there could be real issues. True SaaS shares one software solution (with all upgrades automatically provided to all users instantly) and one universally shared database hosted in the cloud. The cloud provider decides where to store the data and can even move it around to different centres across the world to optimise their overheads. This can cause problems when data is transferred outside the EU – even when it is held in the US where the Patriot Act can override any UK protection provided by the DPA, giving the authorities the legal right to sift the data and take control. For those holding personal and confidential candidate and job seekers’ information, this can present a legal nightmare.
So here’s a short checklist of what to look for in a provider:
- Insist on a company that offers individual databases and total control of the location of the data centre – and for UK companies this preferably means selecting one with a UK data centre.
- Choose a provider already established in the HR environment as their solutions will take its specific challenges into account. The cloud has encouraged a flurry of start-ups, who may not prioritise security as highly as some of their competitors.
- Check your potential supplier’s customer list. Does it include other organisations – such as government bodies – that regard security as paramount?
- Is it working towards the latest version of ISO27001, the 2013 version of the international information security management standard, revised to take into account changing IT platforms and practices?
In reality, while it’s essential to ask these questions, most HR-focused providers are more than aware of customer concerns and the need to meet certain requirements, especially those on the government’s G-Cloud programme. Their security levels may well exceed a customer’s normal standards and go beyond the required accreditation or IL-level benchmarks.
The fact that the government is now encouraging the cloud should also provide some reassurance. Once HR teams are satisfied that their provider will keep their data safe, there are many benefits to be gained.
Paul Finch, managing director of Konetic
