The following blog has been adapted from our recent ebook ‘6 Key Compliance Categories for All Contingent Workforce Programs’, which is available to download now.
It’s no secret that the world we live in becomes more digitized by the day. With this comes the natural inclination to protect our personal information. Data compliance is often overlooked when examining your programs but it’s a critical component of ensuring that your organization is secure when it comes to your contingent worker data.
Here are two questions to ask when talking about data security:
- Is my technology SOC 2-compliant?
- Can my technology meet data protection requirements?
YOU MAY ALSO LIKE | ‘Using Technology to Master Contingent Workforce Compliance’
Is My Technology SOC 2-Compliant?
Before we unpack this, let’s take a look at what we mean by SOC 2 compliance.
What Is SOC 2?
SOC 2 is an auditing procedure that ensures service providers securely manage data in the interest of your organization and, in the case of contingent workforce programs, that of your vendors, candidates, and talent pool. It’s considered an essential feature of any third-party system or vendor who processes data from within or connected to your organization.
Designed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing data based on five principles:
- Processing integrity
You can find out more about the SOC 2 criteria on the AICPA website here.
What Does Compliance With SOC 2 Look Like?
SOC 2 compliance makes sure that your service providers securely manage your data to ensure the protection of your information. When selecting or renewing with your provider, this should be something that you guarantee they have.
An on-site audit is likely to be required to prove compliance. Once the audit is complete, your technology will be certified as compliant. Organizations that are SOC 2-compliant can only share data and information with other organizations that are also compliant.
RECOMMENDED READING | ‘The Rise of the Gig Economy: 4 Strategies for Compliance Management’
Can My Technology Meet Data Protection Requirements?
This is especially important to consider for organizations operating in the European Union. You’re likely to already be aware of the requirements set forth by the General Data Protection Regulation (GDPR) in May 2018. Where this can become tricky is that the legislation protects any person who resides within the European Union—whether that’s where your organization is located or not.
There are three main ways to ensure the security of people’s data:
1) User Acceptance and Consent
The first step many organizations have taken is to ensure that they have an accepted user agreement stating that their personal information will be collected and for what purposes. This is commonly seen online in the form of cookie consent pop-ups and tick boxes at the bottom of forms to accept T&Cs or be willing to be contacted.
2) Anonymization of Data
Another step comes in the form of the right to erasure. In the context of contingent labor, when a worker requests all of their personal information be removed from your VMS, this should be done as soon as possible. You will have one month to do so. We recommend that you anonymize the data rather than delete it from your system completely, as this allows you to keep accurate data while still maintaining the request for erasure.
If you do decide to switch providers, you want to make sure that the current provider not only has a plan in place to deactivate your product but to erase the data so it isn’t available or unaccounted for. Without this in place, it could pose a risk to your organization for breaching GDPR as it indicates a lack of due diligence. This should be a standard practice whenever you’re switching or deactivating any product or software that holds personal data, especially on a large scale.
HANDPICKED FOR YOU | ‘How a VMS Can Help Protect Personal Data for GDPR Compliance’
Data security may not be the most exciting topic, but it’s one of the most important areas of compliance. Often overlooked, data security can have a huge impact on your contingent workforce and vendor management.