Organisations are using, on average, 139 cloud-based HR apps, says Netskope’s February Cloud Report; many of which are not necessarily sanctioned by the IT Department. This risks sensitive and personal data breach and leakage, which is a concern for organisations seeking GDPR compliance in time for the 25th May 2018 deadline.
Moreover, Netskope say that the number of HR apps can exceed 3,000 at larger organisations, with HR being the worst offender. Marketing comes a close second, using on average 121 apps, compared to HR’s 139.
Talking to SC Magazine, Ross Jackson, vice president of customer transformation and innovation at Mimecast, said: “This is a particular challenge for HR and marketing teams, who act as the gatekeepers for confidential and sensitive personal data, which comes under close scrutiny for GDPR compliance.”
Why are HR apps not IT sanctioned?
The problem arises when individuals or lines of business introduce apps off their own bat, without first consulting or even informing their IT manager. This makes it likely that updates and patches don’t happen when they’re supposed to, putting the business at risk of data breaches or attacks. Ransomware and email impersonation attacks, for example, are on the rise.
HR data is particularly sensitive, and uncontrolled apps could compromise personal, financial and medical records. This would constitute a serious breach of the GDPR and risk interrupting business continuity. The reputational and financial consequences could be dire, with penalties now rising to four percent of global annual turnover.
The Netskope report also revealed that employees are risking GDPR compliance by downloading personally identifiable information from HR apps onto their mobile devices, sharing cloud-based documents with people outside their organisation and modifying financial fields in finance cloud services, despite not being authorised.
How to make sure HR apps don’t risk GDPR compliance
- Introduce a strict app policy to help avoid the problem in the first place
- Employ data loss prevention tools and set up access controls
- Review your business continuity and disaster recovery plans
- Under the GDPR, an organisation (data controller) is responsible for the GDPR compliance of its third party operators, such as app providers or payroll, so review your contracts to make sure you’re both complying with the GDPR
- Review/introduce data encryption and single sign-on authentication
- If you’re unsure of your GDPR compliance, you can seek help through accredited GDPR auditors.
- Educate employees on their responsibilities for GDPR compliance, and the risks of non-compliance.
If you need help training staff on GDPR, from board level to reception, Me Learning can help. Along with data protection specialists Clayden Law, Me Learning provides bite-size online GDPR training courses. To find out more click here.