The speed at which the digital workplace is evolving means operating policies and procedures are also in flux. One of the most important of these is data privacy: how to handle the personal, confidential information of customers and employees. Ensuring data privacy in the digital workplace isn’t just a nice to have, it is the focus of governments and agencies across the world. In short, it is the law.
And it’s complicated.
Data often lives in silos in the organization with one group focused on data privacy, another on security, yet another on compliance. Throw marketing into the mix and you end up with layers of policies surrounding the same data. Plus, data has different levels of sensitivity as to what is considered private, confidential and in some organizations, classified.
Given that scenario, here are 10 best practices for ensuring data privacy in the digital workplace.
10 Best Practices for Data Privacy
1. Data is people. To fully understand and communicate data privacy, remember that data is not 111s and 000s. Data is people. “Companies need to realize that they're being entrusted with the digital versions of people. And once you start thinking that it's a carbon life form in digital form that I am being entrusted with, you're going to treat that differently than a collection of digital records,” explained Kevin Coppins, CEO of Spirion, a data privacy management company.
“Remind people they are dealing with people not just data. (At a company meeting) I’ll say to Fred who has information on Nancy’s kids and who is sitting next to Nancy: Look, their information is in your system. You are responsible for protecting Nancy’s kids for the rest of their lives,” Coppins added.
2. Start at the top. Data privacy belongs to the CEO at the executive level. Since 2014, top leaders at Equifax, Target and Sony, have either resigned or been fired in the wake of prominent cyber incidents, according to a recent Wall Street Journal article. Congress is considering legislation that would impose heavy fines and even prison time on high-level executives who fail to protect corporate data. In one of the biggest data breach cases to date, Morgan Stanley was fined $60 million for failing to protect personal financial data — more on that later.
CEOs in every organization take note: Data privacy begins with you.
Related Article: 4 Ways a Chief Privacy Officer Can Help Your Company
3. Step back, look at the big picture. Get beyond the data silos and look at data usage throughout your digital workplace. Where does data reside in your organization? What is being collected? Who is using it and how is it connected across the organization? That last point is particularly important because data takes on different value depending on who is using it.
4. Do a full assessment of the data and answer the following questions: What does this data mean to our customers and employees? What is sensitive data in healthcare or financial services may not be in retail or manufacturing. Put a solid set of definitions around the data that is used company-wide, not just by one organization or group.
5. Once you've defined sensitive data, categorize it so everyone within the organization knows how it should be handled. Coppins recommends doing more than just labeling the data personal, confidential or top secret. “You need to be a lot smarter when you redefine what sensitive means. It can be sensitive based on who's viewing it and how it's being used versus confidential or top secret.”
6. Develop a mapping scheme for data exchange so that you can create policies and processes that recognize that sensitive data is fluid. Permissions need to be set as to who can use and who can move data, said Michael Harstrick, chief global development officer of Garner Products, a data security company.
“You have to have a set of permissions in that data, monitor them and enforce them to make sure that only the people that are allowed to see certain data can see or can move that data. You should end up with a matrix with a definition of information of what you're allowed to have access to as an employee,” Harstrick explained.
Related Article: Employee Data Surge Means Increased Privacy Risks
7. Recognize that data changes as it is used. Data not only moves within an organization, the nature of data changes if it is enriched or linked to another data record. A social security number is one type of data. If the person’s driver’s license is linked to that record, it becomes enriched and more sensitive, because more is known about the person. Educate all employees on the critical nature of sensitive data, the need to protect it and how to handle data in their role. Data is no longer information — its use or misuse can change lives.
“As a society we continue to try to grapple with this idea of personal data — that's me, but it's a digital version of me. How we treat that data can mean how I get marketed to or whether I can be employed,” said Spirion's Coppins.
8. The right to be forgotten. A key provision of the far-reaching General Data Protection Regulation (GDPR) privacy law that is particularly difficult for most companies is the right to be forgotten. The rule gives EU citizens the power to demand data about them be deleted. Which is good in theory but difficult in practice, said Coppins. For example, a company like Walgreens may have your employment data, your healthcare data, your financial records, your consumer data. It may find most of the data, but if it misses even one part of it, it is liable.
9. Extend your digital workplace privacy considerations to end-of-life data disposal. You can have best policies and practices for data living in your organization but lose it all if that same data is not properly disposed of at end of life. Confidential data must be fully destroyed to protect an organization from agency fines and lawsuits as Morgan Stanley learned when hard disk drives they sent out for disposal remained intact and cost the company $60 million in fines.
10. Many common data disposal means such as shredding or overwriting can still leave a company vulnerable because data can be recovered. “People have no concept, of what goes on in one of these devices. The truth, if you take (a disk drive) apart and shred it to two-millimeter particles, which is the size of a pencil lead, it can still hold 600,000 pages. It's unimaginable.” According to Garner’s Harstrick, only degaussing, followed by destruction and a proof of destruction, fully protects the company from liability.
Related Article: Even the Best Laid Plans Forget This Security Gap
The Future of Data Privacy
Organizations can ensure data privacy throughout the digital workplace through the best practices outlined here and by keeping one thing in mind: data is people.“Remember that you're a person. And that data that you're managing is people as well. So wear the human hat when you're in your tech role,” said Coppins.