Early in the morning, Ernst the auditor is finalizing the analysis of the HR process. Many people have been fired in the past period, so the personal data of these former employees must be processed properly. This is HR's job, but it tends to go wrong every now and then. So far Ernst has already found more than 3 errors that could potentially cause problems.
At the end of the quarter, the auditor analyses all processes in the company. With the help of control programs, company documents and procedures, all risks and errors can be identified in time. All corporate communication guidelines must be adhered to, and protocols must be followed. Internal auditors ensure that the company is compliant with the standards and norms so the framework of standards can be certified. This can also be used to demonstrate that the company is GDPR compliant.
Data leak due to poor control of the leaver process
After analyzing the leaver process, Ernst notices that some people are still being paid while they should only receive a transition payment. Besides that, someone reported that former staff still have access to sensitive data. According to the GDPR, all personal data must be processed, stored, or deleted as stipulated by EU privacy law.
A data breach like this one comes with a hefty fine of up to 4% of the global annual turnover. That is why it is important that the user accounts are closed as soon as someone is on leave or if they stop working for the company. Leaking personal data can also damage the company's reputation. Not only does it have a negative effect on staff, but it also deters customers and business partners.
More awareness, better communication and programs can be the solution
Ernst finds it annoying that HR is not fully aware of the consequences. Based on the root cause analysis, the same mistakes are being made over and over each year. Namely, people in HR forget to report the termination of employment of a former employee, which means that they are unjustly paid and have access to sensitive information.
This entails serious security risks that can have major consequences. The mistakes that are made are human errors.
This could have been prevented with better communication and an IAM service to keep joiner-mover-leaver up to date between HR, IT and the auditor. Unfortunately, HR is often busy, and they only call when something has gone terribly wrong. Ernst hopes that management will take action in the future to spread security & privacy awareness. He has previously proposed to management to organize IAM and Awareness workshops to realize this.
To comply with the GDPR, personal data must be processed according to the law. Internal communication within a company plays an important role in this. If the process is not automated, HR, IT and the auditor must be on the same page to avoid errors.
A utility program can help to save time, prevent errors, and to automate this process. Spreading awareness about IAM can help to better control this process in order to comply with the GDPR.