6 Questions to Ask Your HRMS Vendor about HR Compliance

To avoid the risk of costly (and embarrassing) fines, as an employer you have to ensure HR compliance with a number rules and regulations – some of it legislative, some of it sector-specific or part and parcel of membership of a professional body. Certainly when it comes to a new HRMS, you want to be reassured that the all-singing, all-dancing package offered includes appropriate compliance in its repertoire.

1. What Compliance Breaches Have You Had to Deal With?

Put simply, you want to know the prospective vendor’s HR compliance history. On matters such as data protection, record-keeping and required reporting, have they ever fallen short and if so, how did they address the issue?

2. How Does Your System Comply with [Insert Legislation Here]?

Essentially this comes down to the vendor’s awareness of the local and national HR compliance laws that your organisation might be subject to when it comes to things like HRMS data security or payroll reporting. Examples might include real-time tax reporting in the UK, or compliance with the encryptions requirements of the Health Insurance Portability and Accountability Act (HIPAA) in the U.S.

3. Where Does Liability Lie in the Event of Non-Compliance?

In the event of a breach of HR compliance, you need to know who will ‘carry the can’, you or the software provider. For example, if data is lost, the owner of the data (e.g. an employee) might have recourse to litigation. As the employer, you may well have a duty of care but does that duty extend to the vendor as your ‘agent’?

4. Does Your Data Centre Have SSAE 16 Certification? (Cloud Only)

The SSAE 16 attestation relates to financial systems and extends to those organisations hosting systems relevant to a company’s financial systems, i.e. the data centre that holds your HR and payroll data. The data centre may belong to your HRMS provider or be a third party supplier – either way, a certificate would be good to see.

5. How Do You Handle International Data Protection Laws?

Data protection legislation differs from continent to continent and country to country. If you operate in more than one country, or operate in a different country to your HRMS vendor, or your data is held in a data centre in yet another country... it’s worth exploring this issue to ensure that your HRMS data storage complies with the right legislation.

6. How Are Sarbanes-Oxley Requirements Supported?

The Sarbanes-Oxley Act (SOX) was passed in the U.S. after some significant corporate financial scandals in the 90s. On behalf of shareholders and investors, it demands financial transparency and both U.S. public companies and the companies they deal with (including those not based in the U.S.) must comply. If you fall into either of these categories, it’s worth exploring how the financial data that *the vendor’s HRMS package accesses will meet HR compliance for SOX.