How should you perform due diligence for security with HR software providers? This is just one of the questions industry experts Jon Curtis (myhrtoolkit), Megan Hope (CIPHR) and Zoe Wilson (Rethink HR) discussed in EasyWeb Group’s webinar on HR software.
This post provides an overview of what to consider when performing due diligence with HR software providers.
Who is performing due diligence?
Firstly, it’s important to understand who will be performing the due diligence process and their knowledge levels. As Megan said during the webinar, “I imagine in a smaller organisation actually all of that due diligence is going to be on the HR team. It’s their decision, they’re going to go with it, they’re signing it off, they have to do all the research.”
For an SME with fewer in-house resources for due diligence, it may be prudent to liaise with external professionals. This will help ensure you are choosing the best provider for your organisation.
A checklist for due diligence with HR software providers
It’s crucial that providers can demonstrate that their product and practices are in line with the General Data Protection Regulation (GDPR), which came into force in May 2018. Just as GDPR and HR have important links, so too does GDPR and the software providers you use for HR processes.
Accreditations are another factor to consider when choosing a HR software provider. One of the leading accreditations is ISO 27001, which involves the adoption of a rigorous information security management system (ISMS) for organisational risk management.
Jon expanded on accreditation insofar as it gives one side of the story when it comes to security. Transparency from providers is also crucial. “You really need to trust the people you will be working with. There needs to be a degree of openness and transparency from the providers as to how the product is secured.”
Performing due diligence can become daunting when it gets down to the nitty-gritty of technical security requirements. This is why it’s good to have technical members of your organisation on board during the decision process.
As Jon explained: “you will probably want some technical people involved from the start who will know which questions to ask. This is because it’s quite easy to ask the wrong questions on security because it’s easy to misunderstand. There are things around backups, disaster recovery, cryptography, where the data is stored, the provider the company is using to store the data, and so on.”
Jon also advised that a major aspect to look out for in the due diligence phase is password security. “How are passwords handled online, how are they reset, are they reporting on password strengths, are there controls on password strengths, are there configurable settings?”
It’s exceedingly rare for a SaaS provider, or indeed any company, not to be working with third-party providers. Organisations also need to consider this in terms of security and due diligence, particularly in relation to GDPR.
Jon said of myhrtoolkit as an example: “we work with Google Cloud, for example, to store our data, but there’s all sorts of other third-party providers we work with for all sorts of different things and if you’re doing your due diligence in detail you’ll want to sort of look through that as well.”
Other questions around due diligence for HR software providers
This isn’t an exhaustive list for due diligence and security; each individual organisation will have their own requirements and considerations. As Megan summarised: “Rather than taking somebody else’s list of ‘we think it needs to be ISO [compliant], we think it needs to be in the UK and we need this’, it really depends on what you need as an organisation.”
If you have any other questions about due diligence and myhrtoolkit’s HR software, feel free to get in touch with the our team.
Previous post: How should an SME choose a HR software package?