Workplace professionals charged with maintaining the privacy and security of employee data have their work cut out, as workforce data surges and the risk of breaches increases. Officials at Forrester shared these findings in a report published last month on the future of work. Artificial intelligence-based workforce tools, the desire for employee sentiment analysis, organizational network analysis programs and devices like Fitbits and Apple Watches are rising because organizations have the appetite to collect and manage data “to transform the workforce and fuel better business results,” according to the Forrester report.
“The mountain of data is continuing to compound,” said Mark Brandau, principal analyst on Forrester’s CIO team. “Organizations are trying to collect more information, and they're trying to do more with it. But as they do that, the risk keeps going up. It's a very interesting dilemma. We know we have to do better and get better data, but with more data, the risk goes up.”
Breaches Lead to GDPR Fines and Investigations
Some organizations are now recognizing these risks. The Greek Hellenic Data Protection Authority fined PwC $164.5K in July for General Data Protection Regulation (GDPR) violations regarding employee data. According to the Greek data privacy enforcer, PwC has been fined for the following items:
- Unlawfully processed the personal data of its employees contrary to the provisions of Article 5, “Principles relating to processing of personal data," because it used an inappropriate legal basis.
- Processed the personal data of its employees in an unfair and non-transparent manner contrary to the provisions of Article 5, giving employees the false impression that it was processing their data under the legal basis of consent pursuant to Article 6 of the GDPR, “Lawfulness of processing,” while in reality it was processing their data under a different legal basis about which the employees had never been informed.
- Was not able to demonstrate compliance with Article 5 and violated the principle of accountability set out in Article 5 by transferring the burden of proof of compliance to the data subjects.
Also, a German privacy watchdog opened an investigation in January into clothing retailer H&M because it found evidence the Swedish retailer committed “massive data protection breaches” by spying on its customer service representatives in Germany. A hard drive containing about 60 gigabytes of data revealed that superiors at the site in Nuremberg kept “detailed and systematic” records about employees’ health, from bladder weakness to cancer, and about their private lives, such as family disputes or holiday experiences, according to an Associated Press report.
Grappling with employee data privacy regulations should be nothing new to most organizations. GDPR is just one regulation that aims to protect employee data. Americans with Disabilities Act, California Consumer Privacy Act, and/or the EU–U.S. Privacy Shield, for instance, should force employers to constantly check internal policies, data privacy notices and contract provisions related to privacy, as well as collective-bargaining agreements, according to a March report from the National Law Review. “Employers with employee representative bodies (unions, works councils, etc.) may need or want to consult with those bodies before implementing new measures implicating employee privacy,” according to the report.
Why Employee Data Collection Is Rising
It’s also helpful to understand why — and where — employee data is rising in the workforce. The rise in employee data is one of four “shocks” to the workforce that also includes systematic risk, rising robots and expanding employee power, according to Forrester researchers. They warn of an “employee data tsunami” from automation technology and AI-backed devices that will bring more data on top of existing employee data from systems for managing people operations and strategies (human capital management technology). This sensitive data includes government identification numbers, dates of birth, payroll/bank, benefits/medical, background verification information and sensitive information like succession plans, according to Forrester researchers.
Workforce data has been poorly managed for 100 years, according to Brandau. Organizations want to do better and therefore workforce analytics technology has become a “very hot area in human capital management.” “Most people expect significant return on workforce analytics … but they don't use their workforce data well. It’s underused,” Brandau said. “The problem is when you look at a little closer, there's a high degree of risk associated with it. So you've got a lot of potential for misuse, and a lot of potential for underuse. So it's really kind of a dodgy thing. It's hard. You're dealing with very serious security and data governance risks at organizational levels.”
Further, he found, COVID-19 exposed for many organizations that they don’t have enough good data to make good decisions. That’s growing the appetite for better data to help provide better employee experiences. “For example,” Brandau added, “it was really hard for people to identify who could work from home (when COVID-19 broke), and that became really challenging because they didn't have the data. So there's that aspect of it. It’s hard because we don't have the data.”
How Organizations Can Protect Data
The massive move to remote work due to COVID-19 has only increased the need for organizations to be more vigilant with employee data. Hilary Wandall, TrustArc’s senior vice president, privacy intelligence and general counsel, said companies need to account for data privacy laws and policies as well as the physical tools and strategies needed to work from home.
Wandall shared some tips for employers to ensure a strong privacy and security program.
It is important to allow people to connect into company systems in a secure way so they don’t run the risk of inadvertently leaking confidential or personal data. Companies should utilize two-factor authentication to verify who is accessing its systems and prevent data breaches.
Oftentimes, home networks have weak passwords or are not password protected at all. To mitigate risk, companies should require employees by policy to use secure, password protected WiFi networks.
While working from home, employees in certain roles commonly print out work documents. In this situation, physical documents that contain potentially sensitive information and can be misplaced or accessed by others in the household who are not members of the workforce. To prevent the accidental leak of confidential data, organizations should adopt a policy that identifies how to mitigate this risk and should train employees and ask that they shred sensitive documents when finished working with them.
Secure Video Meetings
Organizations should require employees to use password-protected video conference services and encourage the use of “waiting room” features where the meeting host manually allows participants to enter the meeting. Taking these precautions can prevent unknown parties from entering company meetings, which now increasingly includes meetings in which highly sensitive information is discussed and shared such as regular or special board of directors recommendation.
Several companies have been forced to quickly adopt new third-party applications or use existing third parties differently during the COVID-19 crisis to enable employees to work remotely. To manage vendor risk effectively, t is essential that companies assess new vendors before beginning to use them. Third-party risk assessment is a critical step to ensure data privacy during remote work. “It is one thing to follow a checklist, but it is really important, especially as stay at home orders are prolonged,” Wandall said, “to apply these lessons to long term planning. Companies should formally conduct an impact control assessment to make sure the correct measures are ongoing, secure remote work.”