The 25th May 2022 marked four years since GDPR came into full force, forever changing the way we use and understand personal data. You would think the world would have been smarter in processing and storing information by now, yet 2021 has seen a 40 percent increase in GDPR fines issued across the EEA and the UK highlighting that the problem is still fresh, argues Kayley Gaylor.

In the modern world of hybrid and intercontinental work, there are several security issues that organisations commonly face. We rely so heavily on technology to allow us to collaborate, to share information and data and to feel connected to one another, yet it comes with issues. A recent study found 57 percent of employees believe they are more vulnerable to cyberattacks since working remotely. Documents, information and data are now not just stored in the office, but at home, and in the local café or workspace at the gym. The lines of where you can work, who overhears you and who can see a carelessly left screen or document have been significantly blurred.

To add to this, organisations are still lacking correct policies and procedures to ensure data safety. With 82 percent of breaches in 2021 caused by human error, it is evident that HR departments should be leading on cybersecurity and GDPR compliance, not just when onboarding staff but throughout employees’ entire time at an organisation and up until their offboarding period.

So, what can HROs do to ensure correct data protection?

Knowledge is power

HR departments must have robust processes and policies in place, ensuring all employees are properly trained. Threat actors – a group of people looking to hack your devices or networks – try to target companies via individuals using corporate routes; quite frequently hackers target individuals that have just started at an organisation and who might not have in-depth knowledge of company’s policies yet, therefore HROs have a responsibility to provide adequate cybersecurity training from the very first day.

It is also very important to explain the difference between personal data and corporate data. As individuals, we resonate more with the question of “what would happen if my personal data is lost?” rather than trying to explain the implications of losing a company’s data only. Phrasing the importance of protecting information from that perspective ensures employees are trained to protect data in general, whether it’s people, financial or sales.

Risk management

Various departments have their own software products they use that collect data, and, with the HR department being no different, the HR technology needs to be integrated within the wider company’s infrastructure. Ask yourselves, where is data stored, how is it being used and which employees are having access to it from which entry points? It might sound quite technical but understanding where your data sits even from an HR perspective is very important for data protection.

It is also exceptionally beneficial to achieving organisational transparency and ensuring the right people have access to the right data. Equally, should a data leak happen, it reduces the amount of time spent identifying the channel through which the hack has happened and allowing for appropriate actions to take place in order to secure information going forward.

The evolution of HR

Throughout the years, HR roles have evolved beyond standard contracts, employee handbooks and grievance management. Today’s HROs have to be experts in wellbeing, employee relations (ER), DE&I, succession and now even cybersecurity, but not every HR leader knows or is able to fully embrace the variety of their roles. In companies where cybersecurity typically falls under the IT department, HROs need to understand their role in data protection too and get proactively involved to keep information safe whilst educating employees.

Cyberthreat activities are maturing with every passing week, and threat actors are becoming more creative in their ways of targeting companies and employees. From phishing emails and vishing (malicious calls to trick you into disclosing personal information) to smishing (malicious SMS with links) and simple password guessing, threat actors are constantly on the lookout to hack businesses. HR leaders need to be at the forefront of this, updating necessary policies and working closely with IT departments and, where necessary, external experts to organise appropriate training.

A company might have the best protection in place, from the most secure firewall to the latest Security Information and Event Management (SIEM) implementation, but, without people knowing what to look out for from a cybersecurity point of view when they receive an email with an attachment or a text message with a malicious link, these systems make no big difference.

The latest Mercer Marsh Benefits (MMB) report showed that 39 percent of UK businesses have been victims of cybersecurity breaches or attacks in the past year, but it’s important not to assume that the responsibility solely lies with the HR department – cybersecurity and data protection should be at the forefront of every employee’s mind, from senior managers to junior members of staff.

But it is HROs, as gatekeepers of enormous levels of information, that need to ensure data protection knowledge is available at all points of employment. In an ideal world, more organisations will start integrating cybersecurity into the HR function as soon as possible.





Kayley is a Senior HR Technology & People Transformation Manager at LACE Partners, a leading HR and Payroll transformation consultancy. In the past 15 years, she has delivered many global HR improvement and change projects including HR process improvement, outsourcing and centralisation of HR administration to Shared Service Centres.

Recently Kayley has been focusing on leading organisations through the journey of moving to the Cloud to deliver increased value and provide insights, from thinking through the experience and capabilities they need in the next generation of digital people systems, to developing the HR technology roadmap. She’s also been working on building the case for change, facilitating them through deciding on the right systems for the business to maximise the investment in digital enablers and people analytics, how choices made will impact the broader people systems landscape, as well as how the current processes and data will evolve in the Cloud.