Data privacy is a primary concern for companies today, but that attention is often focused on customers. Yet they are not the only people whose data companies store. They also maintain information on their employees. And employees are apparently not all that confident that employers are doing a good job of protecting their personal data at the workplace.
Sixty-four percent of all Americans have experienced a breach in their personal data, according to a study conducted by the Pew Research Center, and about half of Americans feel that employee privacy is less secure now than it has been in years past.
This is not how it should be, says Gerard Chan, head of the global privacy office for Symantec. Privacy and the protection of personal data should be an integral part of the corporate culture and core values of every organization, he says.
“When it comes to privacy, companies need to remember that employees are just as important stakeholders as their customers,” Chan says. “Employees should feel their data has been protected by the company with no less of a standard than they would use to protect third-party data.”
As competition for top talent heats up, employee engagement is a top priority, and many companies use employee engagement software solutions to gather feedback from their teams. This information can be helpful to companies as they seek to improve their employee engagement, but it’s also highly sensitive and vulnerable to theft and breaches, Chan says.
In addition to the personal data that is traditionally expected to be processed in the employer-employee relationship, such as contact details, right-to-work, and bank account information, employers will also process data about the employees as part of their day-to-day working lives. This could include data on their physical movements (CCTV and badges), data on their devices and corporate laptops, as well as data about their health and wellbeing, not to mention, in many cases, data about their families.
“Processing this vast amount of data brings with it a responsibility to ensure that employers both protect employees’ data and provide them with a level of privacy,” says Chan.
“International employers can stay ahead of the curve by adopting a global approach to how they maintain and process employee personal data that is mirrored on the GDPR. This will ensure that employees feel a sense of trust with their employer and engage employees to take personal data and privacy rights as a core value for their employer regardless of the local legal requirements,” Chan says.
As he points out, employers must ensure that they have clear and easy-to-understand privacy notices for their employees, and those privacy notices should cover the broad spectrum of personal-data-processing activities that the employer will undertake during the course of the relationship.
“An area that most corporate organization struggle with is data retention,” Chan says. “Employers need to ensure that they have operationalized data retention and destruction process and policy in place. This will ensure that employers meet both the requirements of the GDPR from a storage limitation perspective, but also to minimize the time and resources needed when dealing with an employee data subject access request.”
Based on the feedback, companies develop metrics that they can use to measure the effectiveness of their culture, team building, and recruitment efforts. This is especially useful during changes in the organization.
But employee engagement software may also tap into highly sensitive information, even if not intentionally, Chan points out. Employees have the right to either opt in or out from sharing their feedback, and can choose to do so anonymously or not, but once they do participate, the data becomes the responsibility of the company. And more often than not, feedback that seems to be anonymous may be relatively easy to attribute to a particular employee because of the context in which it was given, the subject it relates to, or the view it expresses. Therefore, as with all information “this is susceptible to breach,” he says.
“Employers need to ensure that they conduct adequate due diligence on the solutions, and work with their security teams to ensure all applications are vetted and approved,” he advises. “Additionally, ensuring data is securely deleted and destroyed when it is no longer required is fundamental for ongoing compliance and reduction of risk of exposure.”
Employee engagement solutions experts also recommend that employers understand how cloud data is managed by the employee engagement vendor, and that they have a secure sign-on system for those using the employee engagement and feedback products.
Privacy initiatives and training should be a regular part of the employees work life, he adds. “Leadership needs to take an active part in privacy initiatives.”
Many companies take the opportunity to engage employees on privacy issues on International Privacy Day.
“At Symantec we have put a lot of thought and planning into our operating model and this is now the backbone of our own privacy program, which we are very proud of,” Chan says.
Based in southwest Florida, Amy has written about sustainability and the Triple Bottom Line for over 20 years, specializing in sustainability reporting, policy papers and research reports for multinational clients in pharmaceuticals, consumer goods, ICT, tourism and other sectors. She also writes for Ethical Corporation and is a contributor to Creating a Culture of Integrity: Business Ethics for the 21st Century. Connect with Amy on LinkedIn.