Over the last year, there have been several jaw-dropping fines for privacy breaches. In the U.S., the Federal Trade Commission (FTC) fined a social media giant $5 billion, and across the pond, a major airline was fined 183 million pounds for a General Data Protection Regulation (GDPR) breach.
Regardless of industry, there are numerous examples of privacy breaches and investigations, which has led many businesses to scramble to achieve compliance and protect their customers’ data. However, it is not just consumers that organizations should be concerned about; their employees’ personal information also needs protection.
What Do Data Privacy Products Do?
With the rapid increase in privacy awareness, the market for tools that protect our privacy has boomed as a number of privacy-related products have entered the market. These tools introduce benefits such as:
Consumer awareness follows in the wake of new regulations. The GDPR is one of the most notable examples. There is also a number of U.S. federal and state regulations that have been introduced. The GDPR spurred global action because, although it was passed in the European Union, it has a global reach. Case in point: A U.S.-based hotel chain incurred a fine when 339 million guests’ personal data was stolen.
Why You Need to Consider Employees’ Privacy
When employees enter the office, they don’t leave their personal information at the door. Although employers may seek to improve productivity or streamline operations, this can infringe on employees’ privacy. The business may want to use unified endpoint management (UEM) tools to track a corporate-owned asset, but the employee may be concerned about what it reveals about their personal life as it travels with them. Businesses should be aware that the data they collect for legitimate purposes may contain personal information.
Consider the following examples:
- Goldman Sachs reads any employee email that contains certain phrases as part of its real-time surveillance system.
- Amazon holds a patent to track employees using ultrasound.
- Three Square Market allowed employees to be voluntarily microchipped to get access to the building or make purchases at the office vending machine.
Mobile devices provide another way for personal information to be gathered because they are integrated into our daily lives and have an always-connected nature. Employees might be concerned with a corporate app that records their location or monitors their browsing habits. Because mobile devices travel everywhere with us, even a well-meaning asset tracking service to minimize the number of lost devices could reveal information about the user’s personal life. The potential for personal information to be embedded means that organizations should review what information and activity they record and check that they are compliant with the latest regulations.
Build a Business Privacy Plan
Protecting privacy is complex because there is a balance of business policy and technical design that needs to be applied to data across its life cycle. Considerations for how user activity is gathered are very different from how a business should decide when to delete stored data.
Business policies and processes can dramatically affect how private information is handled. Chief information officers (CIOs), chief security officers (CSOs) and privacy officers need to be able to articulate clearly to the rest of the organization how information should be managed and ensure that the right tools are in place to convert those business rules into technical execution.
Mobile devices can create policy complexity because the devices are increasingly owned or managed directly by the employee, which raises questions about what data collection businesses should do. Organizations are keen to promote mobile workflows because of the productivity uplifts they provide, but it isn’t clear what the apps that enable this record. If an employee owns the device, what data should a business be able to collect and when should the information be collected?
Businesses need a clear privacy policy that is applicable across different employee functions and methods of gathering data. A good privacy policy should contain both technical and process considerations, be applicable across the life cycle of personal data, and be easily understandable by the whole organization.
The Data Life Cycle
It is important to recognize that protecting privacy doesn’t just mean what you collect, it also includes how you store it and who you allow to access it. It sounds logical, but businesses fail to do so routinely. One social media organization revealed in March that thousands of its employees had been able to access hundreds of millions of unencrypted user passwords.
Transparency is crucial. When personal information is being collected, businesses should provide details about how it is managed. There are several key questions you should ask:
- What information is being recorded?
- Why is it being recorded?
- How is it being stored?
- Who has access to it?
- When will it be deleted?
This transparency is important when choosing business tools and setting up business processes, especially when third parties are involved. With the rise of the cloud, it is possible for outside administrators to have access to information held in the cloud. Suppliers should be able to confirm who has access to systems, as well as when and why they will access them.
4 Elements of Data Privacy
Businesses are left with the challenge of having to balance all these considerations when managing privacy. It is easy to see why consulting practices focused on privacy have sprung up to assist organizations and anxious board directors. However, it is not just boards and C-level executives that need to be aware, because employees across the business may have access to personal information or make decisions that affect it. Businesses can begin by thinking about privacy as the combination of four elements: identity, activity, policy and transparency.
1. Identity
Information about an individual can be used to identify them. The easiest way to prevent it from being inappropriately used is to collect nothing, if possible, and the minimum amount when you have to. If collected data is gathered, ensure information is encrypted and grant access to the data only when necessary.
2. Activity
Actions speak louder than words. Data gathered from individuals’ activities could reveal personal information. For example, location data could very easily reveal information about an individual’s lifestyle. To prevent profiling, potentially private data should be separated. This can be done by separating profile and activity information. Ensure that activities such as user browsing are encrypted.
3. Policy
Having a policy means more than having a document on a corporate intranet site. Business policy should be understood at all levels and be applicable to both technical systems and business processes. Businesses should make as little personal data visible as possible, and only for the stated purpose. Access to data should be governed at the user level so only the right individuals can access it.
4. Transparency
Let individuals know what you are collecting and why you are collecting it. While data is in your charge, make it clear how you will be managing it end to end. If there are any changes to how to handle data, make sure that individuals are informed.
Ensuring these elements are known across the business and kept close to heart when considering new business tools or processes is an important first step toward ensuring regulatory compliance. Businesses should also look at what systems they currently use, especially around the mobile ecosystem where overcollection is easy. Finally, sharing the privacy policy throughout the organization will help keep decision-making aligned with the business’ values.
Vice President of Product, Wandera
Program Director, MaaS360 Offering Management, IBM