Prioritising employee data management as a business-critical risk

Recent press coverage of high-profile cyber-attacks on employee data continues to highlight the business-critical importance of securing systems and the need to manage employee data effectively, both locally and at a global level. 

In addition to preventing the workforce being paid correctly and on time, a cyber-attack could compromise your ability to demonstrate compliance with key obligations to HMRC. For example, a loss of key data could jeopardise your compliance with the National Minimum Wage, Off-Payroll Working obligations, and ability to manage broader labour supply chain tax compliance risksopens in a new tab. Loss of key data could also affect your preparations for the mandatory payrolling of benefits in kindopens in a new tab.

This article looks at key risks and considerations for the Chief Financial Officer and other business professionals, such as within Tax, HR, IT, Payroll, Legal and Data Privacy.

While cyber criminals are often behind attacks, there are other vulnerabilities within organisations which can lead to an employee data breach, with both the organisations and employees impacted. This can lead to financial losses, regulatory scrutiny, potential brand damage and loss of trust from employees, shareholders and potentially customers. As a result, key financial metrics such as revenue, profitability and shareholder value can be impacted.

Employee data, whether within HR or Payroll, is highly sensitive and at risk of misuse. This includes identity theft, financial fraud and blackmail. It's also possible for data to be accidentally accessed or shared inappropriately, either internally or externally, depending on the controls in place.

Having an outsourced payroll solution or shared services based in another country does not eliminate the risk attached to employee data. The employer remains ultimately responsible for ensuring the security and privacy of that data, even when it's processed by a third party. Under the EU/UK GDPR alone, a Data Controller can be fined up to 4 percent of global annual turnover or €20 million, whichever is higher, for data breaches.

Securing technology provides one layer of protection for employee data, but it's equally important to address:

• Human vulnerabilities: This means identifying potential risks arising from daily interactions with employee data and implementing effective controls and processes; and
• Data privacy requirements: Ensuring that these are being adhered to so as to mitigate risks and comply with UK GDPR and local legislation.

Should an organisation suffer an employee data cyber-attack/data breach, there are several areas that may be impacted which will ultimately result in a significant cost to remedy. These include:

• Financial Losses: Significant costs being incurred for the investigation, response, notification, fines and penalties;
• Share Price Impacts: Erosion of investor confidence leading to increased regulatory scrutiny and a decline in share price;
• Reputational Damage: Loss of business and decreased customer loyalty;
• Operational Disruption: Loss of productivity and revenue. For example, a website or email system shutdown can make it difficult for customers to do business;
• Legal Liability: Failure to manage data in accordance with the law can result in legal liability, including regulatory action and fines, and litigation from affected individuals (a breach impacting 10,000 individuals could in reality result in 10,000 claims);
• Compliance Costs: Compliance cost increases, including implementing additional security measures and responding to audits and investigations by regulatory agencies;
• Data Integrity: Compromised data leading to inaccurate information used in contracts or systems, potentially causing misstatements on regulatory documentation, or the creation of ghost employees for the purposes of fraud; and
• Employee Morale: Damage to employee morale and productivity, and employees may be hesitant to share information with the company for security reasons.

Organisations recognise that without comprehensive controls across their entire operations, encompassing both internal and external data usage, employee data remains vulnerable to misuse or a breach. This vulnerability extends to technology, policies, and processes. Therefore, organisations are taking a ‘top down’ and ‘bottom up’ view of how their employee data is managed and secured, in conjunction with their cyber-security strategy.

There are complex data flows when it comes to employee data, which stem beyond HR and Payroll usage and involve internal and external stakeholders. Not only is the employee data shared, stored, accessed, manipulated and retained in many different systems at a department level, but it is also shared with wider stakeholders such as Finance, Reward, IT and external parties, who are likely to be following their own practices for data management. Getting this data management right is vital in allowing the flow of this vital data, whilst mitigating risk.

That's why mapping data flows, understanding system security, and analysing data usage is crucial for identifying potential security gaps. By taking these steps, organisations can prevent data breaches and misuse, protecting both employees and the organisation.

The below are some initial questions to consider in relation to your organisation’s employee data handling, both at a local and global level:

• Could you demonstrate to key stakeholders that how your organisation’s employee data is handled and managed, both from a human interaction perspective and systems and security, is robust?;
• How have you measured how robust your data governance framework is, and has this had input from stakeholders across the organisation who process, require, or handle employee related data? Could you demonstrate that it remains current and in line with best practice?;
• How do you know there are appropriate access rights on all systems holding employee related data, along with appropriate segregation of duties for the systems, as well as the processes associated with the use of employee data?;
• Where third parties handle data on behalf of the organisation, what protocols are in place to ensure that this data is securely maintained and accessed? Are suitably robust contracts in place? When was this last tested and verified?; and
• Do you have a sufficient budget allocated to data security, including investments in technology, training and incident response capabilities?

There are some immediate actions that are highly recommended at a local and/or global level. These include: 

• Completing a review of the employee data handling procedures and controls including cyber and data privacy considerations;
• Reviewing incident and crisis management playbooks that are focused on data exfiltration/ransomware response and notification requirements to regulators and individuals impacted;
• A crisis scenario simulation to test practical response capabilities; and
• Reviewing/developing a business continuity and disaster recovery plan. 

Please contact Sandra Hurley, James Cassidy, Elizabeth Huthman, or your usual KPMG in the UK contact, if you would like to discuss how KPMG could help secure your payroll from potential cyber-attacks and ensure your organisation’s resilience.

For further information please contact:

• Sandra Hurley