Could modern HR technology increase your data security risk?

One of our clients is embarking on a large implementation of a leading HR & Payroll software platform.   As part of the implementation planning phase, we have been carrying out a more detailed assessment of the security requirements. The HR team is very keen to allow access from home and mobile use for such things as reviewing payslips and booking holidays and they have been particularly impressed with the potential use of Chatbot.

A chatbot as defined by Wikipedia, (also known as a smartbot, talkbot, chatterbot, Bot, IM bot, interactive agent, conversational interface, Conversational AI, or artificial conversational entity) is a computer program or an artificial intelligence which conducts a conversation via auditory or textual methods.   A simple HR example would be a question raised via text or voice to your HR system such as what’s my holiday balance and for the computer to provide the answer without any human intervention.

Reported data breaches caused by professional hackers is almost a daily occurrence of which many are with some of the largest and most sophisticated technology companies in the world.   Businesses in the main are taking security seriously, especially when it comes to HR data with the impact of GDPR, but it is very important to consider security risks especially with new technologies such as Chatbot.

Chatbot for HR purposes is not yet widely used, with uptake predicted to increase in the same way self-service did many years ago. However, for those considering it, they need to understand what chatbot is and how the data is being processed, especially as the scope of what is being delivered increases.   In the review of a suppliers documentation, we became alarmed to see statements about how the data for Chatbot is being processed by third party services and a clear statement recommending a Data Protection Impact Assessment (DPIA).   This is not to suggest the supplier is not delivering a secure system, but it has created a need for significant due diligence before we decide whether to roll this out and the involvement of 3rd party security specialists to advise on the potential risks.