Employee Offboarding: A Data Privacy And Compliance Primer For HR And IT

Image Credit: Colin Anderson Productions pty ltd/Getty Images

Check out all the on-demand sessions from the Intelligent Security Summit here.

The issue of data privacy has risen in priority as the volume of data breaches multiplies — along with the implications for organizations and HR departments. After all, tens of billions of personal records have been exposed in recent years.

Each breach spurs regulators to add safeguards similar to the European Union’s General Data Privacy Regulation (GDPR), which became law in 2016. Already the GDPR has resulted in fines for close to 1,000 organizations to the tune of more than 1.25 billion euros. Amazon Europe takes top prize, with a whopping €0.75 billion levy. 

Other high-profile companies assessed large GDPR fines include WhatsApp, Google, Target, Yahoo, Marriott, Equifax and Facebook. GDPR also enables individuals to seek damages in court from anyone being careless with their personal, health or other sensitive information records. 

Similar laws are in evidence around the globe, such as the New Zealand Privacy Act and the California Consumer Privacy Act (CCPA). Others are coming, such as India’s Personal Data Protection Bill and possibly an American Data Privacy and Protection Act. 


Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

“Beyond data security and protection standards, numerous government and industry regulations like GDPR bind workforce data,” said James McQuivey, VP and principal analyst at Forrester Research. “These complex regulations will increase, making it more difficult to determine what employee and workforce information you can collect and how you can use it.” 

Privacy and offboarding 

With so much potential fallout from privacy violations, it’s no wonder that HR departments are far more prominent in businesses than they used to be. Employees are routinely assigned training regarding sharing of information, data privacy policies and security processes. 

One of the biggest dangers related to privacy and data breaches in HR concerns employee offboarding. It can be all too easy for a departing person to waltz out the door with a USB drive full of customer records, or retain access to certain systems, hoping to profit at a later date. 

A Beyond Identity study found that 83% of former employees could still access some corporate accounts. Unless HR is very thorough in the offboarding process, people can find ways to get into some systems. Another finding: Half of businesses don’t use automated processes to change user passwords when someone leaves, and only a third delete user accounts as part of the offboarding process. Consequently, it shouldn’t be a surprise that 25% of employees admitted to having taken client information from a former employer. This ranges from client contact and financial information to entire CRM databases. 

“Employers should institute security measures in offboarding, such as disabling email access, removing all rights, disabling access to all applications and asking employees to confirm that they have returned all corporate personal data assets and have not kept any company data,” said Uzy Hadad, Ph.D., founder and CEO of Privya, an artificial intelligence (AI)-based data protection and compliance vendor.

As well as disabling user accounts, organizations should follow applicable privacy rules in regard to retaining email data for prescribed periods and deleting personal data to protect the rights of the former employee.

“Employers are allowed to keep information about employees and the reason for termination, both as a legal obligation and as a means of protecting themselves in case an employee challenges the termination,” said Hadad. “Other data about the employee, such as information relating to a medical condition, or private emails that are not required for any potential future legal dispute, should be deleted.” 

Other data privacy and compliance rules may apply

Rules vary from country to country and region to region. Hadad pointed out that GDPR doesn’t say much about the specifics of data protection in the context of employment or termination of employment. The regulation allows member states to set their own guidelines for the processing of employee personal data both during and after employment, according to Article 88 of GDPR.

Meanwhile, in California, the California Privacy Rights Act (CPRA) goes into effect on January 1, 2023, and significantly amends the CCPA. It could be a minefield for employers if they don’t manage employee data appropriately. 

“The CPRA will eliminate the CCPA’s employee-data exemptions,” said Hadad. “All provisions about personal data will now also apply to employee data, including all rights, transparency obligations, impact assessment, and rules about selling personal data and treating sensitive data.”

Using technology to address privacy and offboarding

IT and HR need to do more policy enforcement to avoid potential harm from departing or former employees. Organizations should assess the data they have, the many places it resides, and how it applies to employee privacy and offboarding processes. Legacy systems, for example, should be checked for such data as part of a data inventory. 

Other tools to implement include encrypting employee data and anonymizing it via data masking. Localized cloud hosting, too, might be a way to avoid falling afoul of GDPR and other restrictions against transferring data outside one geographic zone or across national boundaries.

Regular vulnerability assessments are another way organizations can ensure employee data is secured. These should include third-party penetration tests.

“Vulnerability scans help identify multiple blind spots in data security, transference and weaknesses,” said Anastasios Gkouletsos, cybersecurity lead and data protection at HR platform Omnipresent. “There are several vendors that can also help identify compliance gaps, but in general, GDPR requires you to maintain a resilient IT infrastructure wherein your organizational and security measures are working effectively.”

Endpoint security, therefore, should be an obvious priority for every company, particularly those operating globally. Data privacy protections won’t be effective unless supported by security features such as firewalls, malware removal, ransomware protection, device management, password manager, patch management and business VPNs or other means of secure connection. Don’t forget about information security policies relating to areas such as privacy, employee offboarding, access controls, change management and data integrity.

McQuivey of Forrester adds cloud-based human capital management (HCM) solutions to the list of technology safeguards. Some modern HCM systems are equipped with features to avoid violating data privacy and data movement rules. Whenever data is placed in the cloud, though, businesses should ensure it is stored only in permitted locations. For example, archived data often gets dumped into cold storage tiers in the cloud. That could lead to loss of control of its location. An active archive combination of open system applications and different types of disk and tape hardware contains features that monitor and migrate data across multiple storage devices while maintaining fast user accessibility and keeping track of data privacy requirements. 

Alternatively, the organization can harness the cloud for applications while retaining all data locally, as a way to stay on top of compliance. 

“Since data and applications don’t need to be geographically co-located, you can launch applications in the cloud, but keep the data that the application needs on-prem,” said Steve Wallo, CTO of Vcinity. 

Get used to complexity and regional variations

Dealing with privacy laws is far from easy. Unless the U.S. federal government passes something soon, expect multiple states to pass their own rules. This will add complexity akin to the sales tax nightmare that businesses deal with (each state has a different sales tax percentage and policy). Globally, too, countries, and regional authorities such as the EU will enact laws impacting certain areas. It is up to IT and HR to stay on top of all this. 

“The current global patchwork of data sovereignty and privacy laws has made it more complicated than ever for businesses to create consistent policies on data sharing, integration and compliance,” said Danny Sandwell, senior solutions strategist, Quest. “This will continue to have a significant impact on organizations’ ability to maximize the use of data across their IT infrastructure, unless they put together clear plans for data integration and governance. In 2023, the passing of more data sovereignty and sharing laws will spur businesses to invest in getting visibility into their data and creating clear plans for sharing and integration across their IT landscape.”  

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.