How To Know If Your HR Tech Vendor is going to cost you an additional $1m

This is a guest post by Qian Li, an internationally recognized Fellow of Information Privacy. He is also the author for the most read article on The Privacy Advisor, an online publication by the International Association of Privacy Professionals.

Over these 2 years, it has been apparent that HR Tech has been playing an increasingly important role in using personal data to aid businesses, especially in terms of automation, analytics and artificial intelligence.

Organisations increasingly using HR Tech companies as an intermediary to process personal data, which leads to an immediate need for those organisations to ensure that these service providers have sound data protection practices.  

Why?

Because the organisation that hires a service provider is responsible for them under data protection laws such as the Personal Data Protection Act (PDPA) of Singapore.

The organisation and the service provider face up to $1 million in fines under the Personal Data Protection Act in Singapore …  and that is excluding hidden costs such as legal, forensics, recovery and disruption to operations.

With new data protection laws being implemented in the region and new or amended guidelines being issued by data protection regulators all companies – especially HR Tech companies – must keep themselves abreast of the developments.

In this article, I will be sharing 5 common risks to look out for when engaging HR Tech Vendors.

1. The Data Protection Officer (DPO) has not been appointed or is not sufficiently competent

Under the PDPA, all organisations must appoint a DPO to ensure the organisation complies with the PDPA.

There has been an encouraging shift recently in appointing more senior staff members to take up this role.

This is an improvement on appointing staff without the seniority to ‘get things done’ in relation to data protection or appointing junior staff members who do not understand the company’s processes are being appointed for this role.  

The worst case if where no one has been appointed as DPO.

A quick way to know if the DPO is competent is to look out for the relevant certifications.

Specifically, the DPO should have good knowledge of what the PDPA is about, and how to comply with the PDPA.

The 8 certifications from the Personal Data Protection Commission’s website which you may wish to consider are

  • Advanced Certificate in Data Protection Operational Excellence*
  • Advanced Certificate in Data Protection Principles*
  • Hands-on Data Protection Officer Training Programme – Enabling New Competencies for the Data Protection Officer & Complying with the Personal Data Protection Act
  • Certified Information Privacy Manager Programme
  • Certified Information Privacy Technologist Programme
  • Certified Information Privacy Professional Asia Programme
  • Certified Information Privacy Professional Europe Programme
  • Practitioner Certificate in Personal Data Protection (Singapore) Preparatory Course

In my personal opinion, as organisations are expected to be able to demonstrate accountability, attending the basic Fundamentals of the PDPA alone is insufficient to fulfil the role of a DPO.

* https://www.pdpc.gov.sg/Organisations/Help-for-Organisations

PDPA-related training from PDPC’s website

 

2. The “Paper Policy Phenomenon”

From the enforcement cases released by the PDPC, we can clearly infer that they expect organisations to have sound policies and SOPs in place.

In general, organisations should have at least an Internal Data Protection Policy for staff and an External Data Protection Notice for clients.

I have personally looked through many “Personal Data Protection Policies” (which strictly speaking, are Data Protection Notices) and realised some companies have simply copied the entire data protection notice from other companies.

For example, I have seen an F&B company listing a retail company’s website as a reference in their data protection notice.

Now, to test if a company is employing “paper policies”, in other words, the policies were simply created without any implementation, one can look out for the little details like what I have shared above, or simply give the company’s general line a call and ask for the DPO.

You may be as shocked as I was at the number of times I was told “We do not have one” even though the policies said otherwise.

However, if you are using the HR Tech Vendors for a large amount of personal data, or for very sensitive personal data such as financial and health data, you should conduct an audit or engage a third party expert to check in greater depth.

 

3. Lack of proper training structure

Of all the enforcement cases announced in 2018, approximately 90% of them were caused due to carelessness while only 10% were due to cyber attacks such as cyber hacks.

Hence, it becomes crucial that companies have robust training programmes for new staff and ongoing training for existing staff.

The training material should also be updated with learnings from the enforcement cases at reasonable intervals.

Image from Lianhe Zaobao: Straits Interactive conducting Virtual Reality Training for DPOs

A simple question to ask your vendor would be “How many per cent of your company’s staff are trained and competent in data protection?  

Please show us your training records and tell us about the qualifications of the person who conducted the training for you.”

A company with a well-managed data protection programme will be able to provide these statistics and this information quickly.

 

4. No proper procedures, especially for breach response

From my experience, the absolute nightmare strikes when a breach occurs, and the investigation by the PDPC commences.

If you haven’t heard, there was an open consultation last year on a mandatory 72-hour period before companies must report to the PDPC in case of a breach.

The Guide to Managing Data Breaches 2.0 was released recently and you can find it here.

Suppose the breach was caused by your vendor, and they did not have a proper procedure to escalate the matter to their senior management and more importantly, to the client (you).

This would mean that the damage would not be contained and that will definitely implicate you during the investigations.

You may even get unwanted exposure in the media.

An example of an HR Tech Company in the news for the wrong reasons

For a start, you can detect a risky vendor by asking for the Incident Response Plan.

Do take note – an overly simplistic one also spells trouble.

Now for automated decision-making services such as AI-aided functions.

They are extremely risky due to Type 1 (false positive) and Type 2 (false negative) errors.

In other words, to make the wrong decision for the individual where the consequences could be disastrous such as causing a candidate to lose the job opportunity or a fair promotion.

While there is no fool-proof way to prevent these errors, you should ask if your vendor has a defined process to review and correct mistakes.

 

5. Untested Tech Platforms

Most vendors will be eager to focus on how their services can work wonders, but may not share much about their security measures.

Since even international standards like ISO are also evolving to add new sections on data protection, a more practical approach is to simply ask for the Penetration Test and Vulnerability Assessment results, followed by an explanation of the company’s reinforcement plans.

The last thing you would want is for your HR Tech Vendor to lose personal data and suffer collateral consequences.

 

Why would these cause an additional $1 million in damages?

I hope you’ve enjoyed the points I raised so far.

Do note that these are basic errors that violate the fundamentals of the PDPA, but yet, from my experience, many organisations are not equipped to answer with substantiation.

In data incidents such as leaks, the cost of legal, cyber forensics and recovery can far outweigh the fines under the PDPA.

For many companies who provide services or products to other companies, it may cause contracts to be lost or indemnity clauses to be triggered.

I have demonstrated that the consequences of mistakenly entrusting an HR Tech Vendor are extremely severe, and suggested a few ways that you can use as an acid test to check your vendor. Remember at the end of the day, you can outsource the task, but not the responsibility.

Need help?

If you found this useful, come along to the Data Protection Excellence (DPEX) Network Forum 2019 happening from 11 – 12 June 2019. There will be regulators sharing updates for Singapore and the region, as well as DPOs sharing their experiences handling data breaches and working towards achieving the Data Protection Trust Mark. I’ll be there too!

Singaporeans and Permanent Residents also receive generous funding to attend the Master Class (which includes access to the DPEX Network Forum 2019). Here’s the link to register with funding information.

Alternatively, reach out to me at [email protected]

I don’t give legal advice, but I can probably point you in the right direction (including available funding to help you along).

Please note: I reserve the right to delete comments that are offensive or off-topic.