Best Practices for Employee Data Protection

This article series is underwritten by Symantec and went through our normal editorial review process. 

Data privacy is a primary concern for companies today, but that attention is often focused on customers. Yet they are not the only people whose data companies store. They also maintain information on their employees. And employees are apparently not all that confident that employers are doing a good job of protecting their personal data at the workplace.

Sixty-four percent of all Americans have experienced a breach in their personal data, according to a study conducted by the Pew Research Center, and about half of Americans feel that employee privacy is less secure now than it has been in years past.

This is not how it should be, says Gerard Chan, head of the global privacy office for Symantec.  Privacy and the protection of personal data should be an integral part of the corporate culture and core values of every organization, he says.

“When it comes to privacy, companies need to remember that employees are just as important stakeholders as their customers,” Chan says. “Employees should feel their data has been protected by the company with no less of a standard than they would use to protect third-party data.”

As competition for top talent heats up, employee engagement is a top priority, and many companies use employee engagement software solutions to gather feedback from their teams. This information can be helpful to companies as they seek to improve their employee engagement, but it’s also highly sensitive and vulnerable to theft and breaches, Chan says.

Protecting employee data

Employers need to process and maintain a broad range of personal data for employees and they do so through the entire life cycle of the employment if not beyond, for example, during recruitment and onboarding process, during the course of the employment relationship, and even after it ends.

In addition to the personal data that is traditionally expected to be processed in the employer-employee relationship, such as contact details, right-to-work, and bank account information, employers will also process data about the employees as part of their day-to-day working lives. This could include data on their physical movements (CCTV and badges), data on their devices and corporate laptops, as well as data about their health and wellbeing, not to mention, in many cases, data about their families.

“Processing this vast amount of data brings with it a responsibility to ensure that employers both protect employees’ data and provide them with a level of privacy,” says Chan.

A global approach to employee data

Employee data is covered under the European Union’s recent General Data Protection Regulation (GDPR) and may very well be included in forthcoming data privacy legislation in the U.S. and elsewhere around the world. But not all companies have processes in place to properly manage employee data under the GDPR.

“International employers can stay ahead of the curve by adopting a global approach to how they maintain and process employee personal data that is mirrored on the GDPR. This will ensure that employees feel a sense of trust with their employer and engage employees to take personal data and privacy rights as a core value for their employer regardless of the local legal requirements,” Chan says.

Transparency is paramount

According to Chan, the GDPR provides data subjects, including employees, with increased transparency about how their data is managed and processed by their employers as well as bolstered data subject rights.

As he points out, employers must ensure that they have clear and easy-to-understand privacy notices for their employees, and those privacy notices should cover the broad spectrum of personal-data-processing activities that the employer will undertake during the course of the relationship.

“An area that most corporate organization struggle with is data retention,” Chan says. “Employers need to ensure that they have operationalized data retention and destruction process and policy in place. This will ensure that employers meet both the requirements of the GDPR from a storage limitation perspective, but also to minimize the time and resources needed when dealing with an employee data subject access request.”

Protecting sensitive information

In addition to all the other information companies traditionally collect and process about their employees, employee engagement solutions have become more prevalent. Such software has proven to be a successful way for companies to receive frank and honest feedback from employees while endeavoring to ensure that processes or technology are in place to ensure anonymity. What was once an annual online form or paper survey is now more often a real-time employee engagement solution that gathers regular feedback from employees.

Based on the feedback, companies develop metrics that they can use to measure the effectiveness of their culture, team building, and recruitment efforts. This is especially useful during changes in the organization.

But employee engagement software may also tap into highly sensitive information, even if not intentionally, Chan points out. Employees have the right to either opt in or out from sharing their feedback, and can choose to do so anonymously or not, but once they do participate, the data becomes the responsibility of the company. And more often than not, feedback that seems to be anonymous may be relatively easy to attribute to a particular employee because of the context in which it was given, the subject it relates to, or the view it expresses. Therefore, as with all information “this is susceptible to breach,” he says.

Prioritizing due diligence

Companies are keen to understand how to use employee engagement products while ensuring protection of employee data and compliance with legislation. The key, says Chan, is proper due diligence.

“Employers need to ensure that they conduct adequate due diligence on the solutions, and work with their security teams to ensure all applications are vetted and approved,” he advises. “Additionally, ensuring data is securely deleted and destroyed when it is no longer required is fundamental for ongoing compliance and reduction of risk of exposure.”

Employee engagement solutions experts also recommend that employers understand how cloud data is managed by the employee engagement vendor, and that they have a secure sign-on system for those using the employee engagement and feedback products.

Showing leadership in employee data protection

There are many ways that companies can demonstrate leadership in making sure employees understand that they care about protecting personal data. In addition to making it part of the corporate culture, privacy of personal data should be among the values “embedded across the organization from grass roots to executive level,” Chan says.

Privacy initiatives and training should be a regular part of the employees work life, he adds. “Leadership needs to take an active part in privacy initiatives.”

Many companies take the opportunity to engage employees on privacy issues on International Privacy Day.

“At Symantec we have put a lot of thought and planning into our operating model and this is now the backbone of our own privacy program, which we are very proud of,” Chan says.

Image: Rawpixel