01
Data Flow Mapping
Mapping how personal data moves through the system — from collection to storage, processing, sharing, and retention — to identify exposure points.
👤
Employee Input
PII entered via web & mobile
→
🔐
API Gateway
TLS 1.3 encrypted transit
→
⚙️
Application Server
Business logic & validation
→
🗄️
Primary Database
AES-256 at rest
→
🔗
Third-Party Integrations
Payroll, Benefits, LMS
| Data Element | Classification | Source | Storage | Shared With | Retention | Lawful Basis |
|---|---|---|---|---|---|---|
| SSN / National ID | Restricted | Employee self-entry | Encrypted, masked in UI | Payroll vendor only | Term + 7 years | Legal obligation |
| Salary & Compensation | Confidential | HRIS sync | Encrypted at rest | Finance, Manager (limited) | Term + 5 years | Contract performance |
| Health Plan Selections | Confidential | Benefits enrollment flow | Encrypted, access-restricted | Benefits vendor | Term + 6 years | Contract performance |
| Bank Account / Direct Deposit | Restricted | Employee self-entry | Encrypted, tokenized | Payroll vendor only | Term + 3 years | Contract performance |
| Performance Ratings | Internal | Manager input | Standard encryption | HR, Manager chain | Term + 3 years | Legitimate interest |
| Contact Info (Address, Phone) | Internal | Employee self-entry | Standard encryption | HR, Emergency contacts | Term + 1 year | Contract performance |
| Time & Attendance Logs | Standard | System-generated | Standard encryption | Manager, Payroll | Term + 3 years | Contract performance |
| Device & Session Metadata | Standard | System-generated | Log storage (90 days) | IT Security only | 90 days rolling | Legitimate interest |
02
Risk Assessment Matrix
Plotting identified risks by likelihood and impact to prioritize mitigation efforts. Risks are mapped before recommended controls are applied.
LowMediumHighCritical
High
R-05
R-04
R-01
R-02
Med
R-07
R-06
R-03
Low
R-08
X-axis: Impact | Y-axis: Likelihood
03
Risk Register
Detailed findings from the assessment, with each risk documented by category, inherent severity, and recommended mitigation.
R-01
Over-Provisioned Access to Compensation Data
Critical
Default security configuration grants all HR Business Partners read access to full compensation data across all business units, violating the principle of least privilege. Current role-based access control design does not segment by region or organizational unit, exposing salary and bonus data for employees outside each HRBP's scope.
R-02
SSN Exposure via Unmasked API Response
Critical
API endpoint returning employee profile data includes the full SSN in the JSON payload before front-end masking is applied. If intercepted, cached by a CDN, or logged by an intermediary, unmasked SSNs could be exposed. Server-side masking must occur before the response is transmitted.
R-03
Third-Party Benefits Vendor — No DPA in Place
High
Health plan enrollment data (including dependent information) is shared with the benefits administration vendor via nightly file feed. No formal Data Processing Agreement is in place defining data handling obligations, breach notification timelines, sub-processor restrictions, or data deletion requirements upon contract termination.
R-04
EU Employee Data Stored in US-Only Infrastructure
High
All employee data, including records for 1,200 EU-based employees, is stored exclusively in US-East data centers. No data residency controls or Standard Contractual Clauses (SCCs) are implemented, creating a cross-border transfer compliance gap under GDPR Chapter V.
R-05
No Automated Session Timeout on Mobile App
Medium
Mobile application maintains active sessions indefinitely once authenticated. If a device is lost or stolen, an attacker could access the employee's full profile, pay stubs, and benefits elections without re-authentication. No idle timeout or biometric re-verification is configured.
R-06
Retention Policy Not Enforced Programmatically
Medium
Data retention schedules are documented in policy but not enforced through automated deletion or archiving. Terminated employee records, including SSNs and bank details, persist in production indefinitely. Manual quarterly reviews are insufficient for a population of 4,800.
R-07
Privacy Notice Does Not Cover All Processing Activities
Low
The employee privacy notice does not reference performance rating data collection, device metadata logging, or the specific third-party vendors receiving employee data. Transparency requirements under GDPR Art. 13/14 and CCPA notice-at-collection provisions are not fully met.
R-08
Audit Logging Gaps for Sensitive Data Access
Low
Access to compensation and SSN data is not logged at the field level. While system-level authentication logs exist, there is no audit trail showing which users viewed specific restricted data fields, limiting forensic capability in the event of an incident.
04
Recommended Controls & Mitigations
Proposed controls mapped to each identified risk, categorized by control type.
Technical — Access Control
Redesign RBAC with Org-Level Segmentation
Implement role-based access control segmented by business unit and region. HRBPs should only access compensation data for employees within their assigned scope. Quarterly access certification reviews with manager sign-off. Addresses R-01.
Technical — Data Protection
Server-Side SSN Masking & Tokenization
Mask SSN at the API layer before transmission. Implement tokenization for storage so that the full SSN is never accessible outside the payroll processing workflow. Log all unmasked access events. Addresses R-02.
Contractual — Third-Party
Execute Data Processing Agreement
Establish a DPA with the benefits vendor defining processing scope, breach notification (72 hours), sub-processor controls, data deletion upon termination, and annual audit rights. Addresses R-03.
Technical — Data Residency
EU Data Localization or SCCs
Either provision EU-region database infrastructure for EU employee records, or implement Standard Contractual Clauses with a Transfer Impact Assessment documenting supplementary safeguards. Addresses R-04.
Technical — Authentication
Mobile Session Timeout & Biometric Lock
Configure 15-minute idle timeout with biometric or PIN re-authentication. Implement remote wipe capability for sensitive data on lost/stolen devices. Addresses R-05.
Administrative — Retention
Automated Data Lifecycle Management
Implement automated retention enforcement: archive terminated employee records per schedule, purge restricted data (SSN, banking) at policy expiration, and generate quarterly compliance reports. Addresses R-06.
Administrative — Transparency
Update Employee Privacy Notice
Revise the privacy notice to include all processing activities, third-party recipients, device metadata collection, and data subject rights by jurisdiction. Distribute updated notice before portal go-live. Addresses R-07.
Technical — Monitoring
Field-Level Audit Logging
Enable field-level audit logging for all restricted and confidential data fields. Configure alerts for anomalous access patterns. Retain logs for minimum 12 months with immutable storage. Addresses R-08.
05
Assessment Summary
Aggregate findings and go-live readiness determination.
8
Risks Identified
2
Critical Findings
2
High Findings
8
Controls Proposed
| Risk | Inherent Rating | Control | Residual Rating | Go-Live Blocker? |
|---|---|---|---|---|
| R-01 Over-Provisioned Access | Critical | RBAC Redesign + Certification | Low | Yes — Must remediate |
| R-02 SSN API Exposure | Critical | Server-Side Masking + Tokenization | Low | Yes — Must remediate |
| R-03 No Vendor DPA | High | Execute DPA | Low | Yes — Must remediate |
| R-04 EU Data Transfer | High | Data Localization or SCCs | Low | Yes — Must remediate |
| R-05 No Mobile Timeout | Medium | Session Timeout + Biometric | Low | Recommended before launch |
| R-06 Retention Not Enforced | Medium | Automated Lifecycle Mgmt | Low | No — 90-day remediation |
| R-07 Privacy Notice Gaps | Low | Notice Update | Low | Recommended before launch |
| R-08 Audit Logging Gaps | Low | Field-Level Logging | Low | No — 90-day remediation |
Recommendation
Conditional Go-Live Approval. Four go-live blocking findings (R-01 through R-04) must be remediated before production launch. Two additional controls (R-05, R-07) are strongly recommended for launch readiness. Remaining items (R-06, R-08) approved for 90-day post-launch remediation with progress reporting to the CISO's office at 30-day intervals. Upon completion of all critical and high remediations, the portal will meet organizational privacy standards and regulatory requirements across US, EU, and LATAM operating regions.