People data is critical infrastructure. It’s time we treated it that way, writes Alastair Luff, Chief Information Officer at MHR, which offers workforce management, HR and payroll software.
Technology leadership teams across all organisations are having constant conversations about data: how best to use it, protect it, and build systems that can handle it responsibly at scale. Underpinning much of that discussion is a more fundamental question: are we treating the most sensitive data with the seriousness it deserves? My answer, in a lot of businesses, is no.
In this context, by infrastructure I mean the systems that are foundational to how an organisation operates: always-on, highly governed, and designed so that failure is systemic, not contained. By that definition, people data, particularly payroll, tax information, and employee financial records, are infrastructure. The information that sits at the heart of every HR system and directly affects the financial security and personal privacy of all employees.
Protecting this most sensitive data needs to be treated as an infrastructure matter.
Fragmented data is putting HR and payroll at risk
Every organisation depends on the accuracy of its data to make decisions and earn the trust of the people that work there. That dependency is nowhere more acute than in HR and payroll. Getting it wrong can result in people being paid incorrectly, and wrong decisions being made on headcount, resource allocation and workforce planning – and the resultingdownstream damage can be significant.
Yet the governance structures underpinning this data are, in many organisations, fragmented and out of date. Different teams operating under different rules and systems. On top of this, in many cases, the technology managing this data was designed for a different era – before the volume and complexity of modern data environments existed.
Fragmented data governance creates compounding risk. When data is managed inconsistently, it becomes harder to trust and considerably harder to protect. That is a problem in any function. In HR and payroll, it’s a serious one.
The changing threat
Cyber threats are growing more sophisticated, more targeted, and increasingly focused on the data that organisations value most, which means the data that causes the most damage when compromised. The combination of personal identifiers, financial data, and employment records of HR and payroll data makes them extraordinarily attractive to threat actors.
The consequences of a breach in this space are significant. When employees learn that their bank details or tax records have been exposed, they lose trust quickly. I would argue that the loss of employee confidence is among the most underestimated risks of a data security incident. It is not easily rebuilt, and it has real implications for retention, culture, and an organisation’s ability to attract talent.
Organisations cannot treat security as a function that gets bolted on later. The goal is not to stop using data but to use it responsibly and securely.
Governance must become a proactive discipline
This is where I believe CIOs and CISOs need to fundamentally shift their thinking. Governance needs to be a discipline that is built into the design of every system, especially where people’s personal and financial information is involved. For HR and payroll data specifically, that means three things:
Data regulation is moving; leaders need to move with it
Regulation is moving quickly, and organisations are expected to move with it. The UK’s Data (Use and Access) Act, building on UK GDPR, places greater emphasis on the structured, auditable use of personal data. Informal arrangements are no longer sufficient. Formal, documented governance is now the baseline.
But compliance should not be the ambition. It is the minimum.
The point I would make to fellow technology and security leaders is this: compliance that is built reactively, in response to new legislation, is always more expensive and more disruptive than compliance that is designed in from the start. Forward-looking organisations are not scrambling to meet the requirements of new rules because they were already working to standards that anticipated where regulation was heading.
For HR and payroll data, this is information that directly affects people’s livelihoods. It deserves to be governed with the same rigour we would apply to any other critical system an organisation depends on.
Because that is what it is.
Photo by Mark Rowe: central London.
