Over the last year, there have been several jaw-dropping fines for privacy breaches. In the U.S., the Federal Trade Commission (FTC) fined a social media giant $5 billion, and across the pond, a major airline was fined 183 million pounds for a General Data Protection Regulation (GDPR) breach.

Regardless of industry, there are numerous examples of privacy breaches and investigations, which has led many businesses to scramble to achieve compliance and protect their customers’ data. However, it is not just consumers that organizations should be concerned about; their employees’ personal information also needs protection.

What Do Data Privacy Products Do?

With the rapid increase in privacy awareness, the market for tools that protect our privacy has boomed as a number of privacy-related products have entered the market. These tools introduce benefits such as:

Consumer awareness follows in the wake of new regulations. The GDPR is one of the most notable examples. There is also a number of U.S. federal and state regulations that have been introduced. The GDPR spurred global action because, although it was passed in the European Union, it has a global reach. Case in point: A U.S.-based hotel chain incurred a fine when 339 million guests’ personal data was stolen.

Why You Need to Consider Employees’ Privacy

When employees enter the office, they don’t leave their personal information at the door. Although employers may seek to improve productivity or streamline operations, this can infringe on employees’ privacy. The business may want to use unified endpoint management (UEM) tools to track a corporate-owned asset, but the employee may be concerned about what it reveals about their personal life as it travels with them. Businesses should be aware that the data they collect for legitimate purposes may contain personal information.

Consider the following examples:

  • Goldman Sachs reads any employee email that contains certain phrases as part of its real-time surveillance system.
  • Amazon holds a patent to track employees using ultrasound.
  • Three Square Market allowed employees to be voluntarily microchipped to get access to the building or make purchases at the office vending machine.

Mobile devices provide another way for personal information to be gathered because they are integrated into our daily lives and have an always-connected nature. Employees might be concerned with a corporate app that records their location or monitors their browsing habits. Because mobile devices travel everywhere with us, even a well-meaning asset tracking service to minimize the number of lost devices could reveal information about the user’s personal life. The potential for personal information to be embedded means that organizations should review what information and activity they record and check that they are compliant with the latest regulations.

Build a Business Privacy Plan

Protecting privacy is complex because there is a balance of business policy and technical design that needs to be applied to data across its life cycle. Considerations for how user activity is gathered are very different from how a business should decide when to delete stored data.

Business policies and processes can dramatically affect how private information is handled. Chief information officers (CIOs), chief security officers (CSOs) and privacy officers need to be able to articulate clearly to the rest of the organization how information should be managed and ensure that the right tools are in place to convert those business rules into technical execution.

Mobile devices can create policy complexity because the devices are increasingly owned or managed directly by the employee, which raises questions about what data collection businesses should do. Organizations are keen to promote mobile workflows because of the productivity uplifts they provide, but it isn’t clear what the apps that enable this record. If an employee owns the device, what data should a business be able to collect and when should the information be collected?

Businesses need a clear privacy policy that is applicable across different employee functions and methods of gathering data. A good privacy policy should contain both technical and process considerations, be applicable across the life cycle of personal data, and be easily understandable by the whole organization.

The Data Life Cycle

It is important to recognize that protecting privacy doesn’t just mean what you collect, it also includes how you store it and who you allow to access it. It sounds logical, but businesses fail to do so routinely. One social media organization revealed in March that thousands of its employees had been able to access hundreds of millions of unencrypted user passwords.

Transparency is crucial. When personal information is being collected, businesses should provide details about how it is managed. There are several key questions you should ask:

  • What information is being recorded?
  • Why is it being recorded?
  • How is it being stored?
  • Who has access to it?
  • When will it be deleted?

This transparency is important when choosing business tools and setting up business processes, especially when third parties are involved. With the rise of the cloud, it is possible for outside administrators to have access to information held in the cloud. Suppliers should be able to confirm who has access to systems, as well as when and why they will access them.

4 Elements of Data Privacy

Businesses are left with the challenge of having to balance all these considerations when managing privacy. It is easy to see why consulting practices focused on privacy have sprung up to assist organizations and anxious board directors. However, it is not just boards and C-level executives that need to be aware, because employees across the business may have access to personal information or make decisions that affect it. Businesses can begin by thinking about privacy as the combination of four elements: identity, activity, policy and transparency.

1. Identity

Information about an individual can be used to identify them. The easiest way to prevent it from being inappropriately used is to collect nothing, if possible, and the minimum amount when you have to. If collected data is gathered, ensure information is encrypted and grant access to the data only when necessary.

2. Activity

Actions speak louder than words. Data gathered from individuals’ activities could reveal personal information. For example, location data could very easily reveal information about an individual’s lifestyle. To prevent profiling, potentially private data should be separated. This can be done by separating profile and activity information. Ensure that activities such as user browsing are encrypted.

3. Policy

Having a policy means more than having a document on a corporate intranet site. Business policy should be understood at all levels and be applicable to both technical systems and business processes. Businesses should make as little personal data visible as possible, and only for the stated purpose. Access to data should be governed at the user level so only the right individuals can access it.

4. Transparency

Let individuals know what you are collecting and why you are collecting it. While data is in your charge, make it clear how you will be managing it end to end. If there are any changes to how to handle data, make sure that individuals are informed.

Ensuring these elements are known across the business and kept close to heart when considering new business tools or processes is an important first step toward ensuring regulatory compliance. Businesses should also look at what systems they currently use, especially around the mobile ecosystem where overcollection is easy. Finally, sharing the privacy policy throughout the organization will help keep decision-making aligned with the business’ values.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…