By Links International
Global data security concerns
Payroll data is among the most sensitive business information, and enterprises in Asia must do their best to protect it. Consider whether your privacy concerns are met, and the types of data security processes being practiced.
With numerous countries in Asia, it is only natural for privacy requirements to vary greatly from location to location. Links International, a notable payroll provider in Asia, routinely comes across a few common questions when speaking to clients, especially banking and financial institution clients, who outsource their Asia payroll.
The complex world of Asia Data Privacy
Asia Data Privacy laws can get quite complicated as they remain particularly disintegrated, making it very complex for companies to ensure they host, protect, and retain data in accordance with local data privacy laws.
For example, the personal data of Chinese citizens is required to be hosted in China, while Taiwanese privacy laws can prevent companies from hosting Taiwanese citizens’ personal data in China. This may pose issues for companies with a presence in Taiwan if they are headquartered in China.
As such, companies operating in Asia need to ensure that they, and in particular, their HR and payroll providers who handle their employees’ personal information, take adequate measures to comply with data privacy laws.
Why being ISO 27001 compliant is important
As Asia data privacy can be complicated, especially for overseas companies investing in Asia, it is recommended that businesses outsource their payroll to the right partners. The best payroll service providing companies voluntarily adopt security standards and are compliant with ISO 27001.
Published by the International Organization for Standardization, ISO 27001 is part of a family of standards that help organisations keep their information assets secure. Asia payroll providers that meet the standard are certified compliant by an independent and accredited certification body, on successful completion of a formal compliance audit. Leading Asia payroll outsourcing companies choose to implement the standard to benefit from the best security practices and reassure clients that its recommendations have been followed. For instance, checking the existence of important documentations such as the Statement of Applicability (SoA) and Risk Treatment Plan (RTP) is a preliminary step to getting certified.
Other common standards that good Asia payroll outsourcing companies hold include SOC 1 SOC 1SSAE 16/ISAE 3402, and SOC 2 – it is worth noting though that a large number of common US and UK certifications are not widely used in Asia. However, asking your provider whether they hold ISO 27001 is a good way of quickly weeding out risky vendors.
Common questions on data security: Where is the data hosted and who has access to it?
All businesses with an IT or compliance function need to understand the following, when determining the level of risk associated with a payroll outsourcing company hosting confidential HR information:
• Where will the payroll data be physically hosted?
• Is the server physically owned or leased?
• How is the network structured?
Data should always be hosted in a way that complies with local data privacy laws. It is worth noting that certain industries in specific countries have statutory requirements that information be hosted and stored in the country, as opposed to in offshore processing centres in low-cost countries, e.g. India, Philippines, Malaysia, etc..
How secure is the payroll data when stored and transmitted?
Assuming the payroll provider is ISO 27001 compliant, most potential questions from clients about data storage and transmission will be in respect of whether the payroll data is encrypted at rest, e.g. data is protected while on disk/in storage, and encrypted in Transit.
The best Asia payroll service providers have data encrypted at both stages, and ensure client HR teams can obtain compliance sign-off easier. A lot of compliance and IT teams are not comfortable transmitting confidential payroll data over an unsecured email (even if it is password protected), so it is vital that your Asia payroll provider can provide other options for data transmission, e.g. FTP-S.
Furthermore, how data is retained and destroyed when no longer required is a point of interest for compliance teams. Ensuring that your Asia payroll provider has clear data retention policies is your first port of call.
Who has access to the data?
What is the framework for access to payroll data? And how is access monitored?
A basic starting point for Asia payroll providers should be to restrict user access to client payroll data to a strictly need to know basis, with their policies regarding data access being standardised for user access and reflecting this principle.
Monitoring user access is another significant but often overlooked step. However, the practicality of monitoring user access to payroll data at scale and detecting any potential data breaches is crucial. Having a well documented security policy is good, yet the systems and processes in place to check
security breaches are even more important.
Good information to find out from the payroll provider on data access:
• What proof do they have to show they follow the processes to check data breaches?
• Does the provider have a Data Loss Prevention system in place to prevent breaches as well as analytics and alerts to notify of a potential breach?
• Does the provider conduct vulnerability and penetration testing on a regular basis?
• Can the provider utilise Multi-Factor Authentication to prevent unauthorised access?
• Can the payroll provider discover, restrict, and monitor privileged identities and their access to resources from a single system?
• Does the payroll provider maintain an access log and can the access log be edited?
A concerning number of Asia HR technologies are known for lagging behind the rest of the world. Thoroughly understanding your vendor’s ability to detect and monitor potential breaches is key to reducing your chances of making the headlines for
the wrong reasons.
What other information security questions should be asked? While there are still many questions to ask payroll vendors, here is a list of questions that large clients frequently ask:
• What on-premise security is there? E.g. in office CCTV (with readily available access to records), monitored alarm systems, etc.
• How does the provider communicate InfoSec policies and procedures to staff? Can they provide evidence such as email communications, training records, memos, etc.?
• How does the provider reference check new staff? What is the disciplinary process in the event of a security incident with a staff member?
• How are change and access requests processed? Can proof of requests be given?
• What firewall/antivirus protection is used? How are updates and patches distributed systematically to all users?
• What are the backup and disaster recovery procedures?
• What controls do you have to address the use, handling, protection, and sharing of confidential data with subcontractors?