Five Steps to Implement Employee Monitoring without Violating Employee Privacy
Data Privacy Begins with Transparency
Few topics are garnering as much attention as data privacy. In addition to being a perpetual fear of all consumers, new laws make data privacy a regulatory hassle for companies as well. Most famously, Europe’s groundbreaking General Data Protection Regulation (GDPR) places stringent data privacy requirements on any organization doing business with European nationals. Meanwhile, California, the tech capital of the U.S., passed its own GDPR-like law with implications that exceed its state boundaries. Other countries are following their lead, and it’s clear that, going forward, increased regulation and accompanying compliance measures will be a powerful force for virtually every organization.
In this regulatory environment, every company needs to oversee, manage, and control access and use of organizational data.
Therefore, more organizations are turning to employee monitoring and data loss prevention software to ensure compliance with the cadre of laws related to their data.
To be sure, its use cases are nuanced, but, modern employee monitoring software is capable of capturing all employee activity on company devices. While this is a boon for protecting user data from insider threats, it can be problematic when applied to the employees’ own privacy, an often-controversial component of data privacy.
In short, organizations deploying employee monitoring software must do so without creating risk by inadvertently capturing employees’ personal data and exposing themselves to privacy violations.
Fortunately, this is doable. Here are five steps to implement employee monitoring software without violating employee privacy.
#1 Establish and explain the data collection policy
GDPR and other data regulations return significant control over data collection back to the person whose information is gathered. However, that doesn’t mean that companies can’t collect data on their employees.
In fact, failure to provide oversight of employees’ digital activity is negligent in its own right.
The key is clarity and intentionality.
GDPR’s “Right to be Informed” clause notes that there is “a need for transparency regarding the gathering and use of data to allow EU citizens to exercise their right to the protection of personal data.”
In other words, employees need to know what information is collected, what is done with it, and how it is secured once the company has it.
In conjunction with IT professionals and employee representatives, every organization should determine the information that will be collected, and they should clearly convey those decisions to all employees through a formal policy that is easily understood and accessible.
#2 Decline to survey or collect personal information
For many, the mention of employee monitoring software harkens visions of an overzealous management team spying on employees and noting every moment that they have a lapse in productivity, collecting droves of personal information along the way.
This shouldn’t be the case, and employee monitoring software does not have to be implemented in this way. With modern employee monitoring software, the big brother intonations of the past don’t make an appearance today. Bolstered by advances in artificial intelligence and other technologies, the best employee monitoring software can be selective in its gathering.
For example, employers can choose to capture only specific data scenes like when an employee accesses sensitive files or network areas. Moreover, personal information can be redacted and not captured, releasing companies from the burden of protecting employee data that they never needed in the first place.
#3 Use pseudonymization when appropriate
The primary purpose of employee monitoring software is to protect against a data loss event, but it has other benefits as well. For example, it offers companies a deluge of data that can be incredibly helpful for determining things like efficiency standards, communication best practices, and other metrics.
While this information is the result of monitoring individuals, it doesn’t always have to be personal, and, according to Recital 26, GDPR is not applicable to anonymous data.
In many instances, employee information can be collected and pseudonymized, so employees can operate with autonomy, and companies can gather the data that they need without compromising their employees’ privacy.
#4 Use data and delete it
GDPR introduces a comprehensive “right to be forgotten” mandate that, in most instances, requires companies to delete a person’s information when the individual requests that it be removed. Some scholars speculate that this component of the law does not apply to the employer/employee relationship; however, the ethos is unmistakable.
To be proactive, every organization should be specific and strategic in the data that they collect. Some data will need to be stored for future forensic purposes, but other information can be deleted after it serves its immediate use. In lessening the amount of data on file, companies can mitigate their exposure while acquiescing to the emerging sentiment that less is more when it comes to data ownership.
#5 Be transparent and accountable
Privacy regulations place a premium on transparency, both in its simplicity and its frequency. GDPR’s Recital 58 calls for “any information addressed to the public or to the data subject be concise, easily accessible and easy to understand.” Meanwhile, companies are pressed to regularly update their users on policy changes.
Of course, proving compliance with these regulations invokes a certificate apparatus that compels companies to continually demonstrate their efficacy in this regard.
Consequently, as global regulation draws more imminent, all companies must establish a plan to be transparent while being accountable to the certification standards that oversee these values.
Since the primary purpose of employee monitoring software is to perpetuate data security, another facet of GDPR and other regulations, companies need to make sure they do not capture personal information on their employees, and they need to purchase employee monitoring software that can be configured to avoid this.
This article was originally published on IT Security Central and was reprinted with permission.
