How to Manage Information Risk and Protect Data Privacy in the Enterprise
When we think of “data privacy,” it’s often in the context of an ever-increasing combination of consumer data: information about peoples’ health, education, purchasing activities, location, finances, etc. The right to privacy — to protecting that data from third parties that may use it for unauthorized purposes — has been made explicit by emerging laws and regulations such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States.
Since many office workers moved to remote status, it’s become clear how much data is being generated through virtual communications platforms like Slack, Microsoft Teams and Zoom. The privacy and security of our daily work chats are just as important as our browser history.
Somewhat paradoxically, financial industry regulations imposed by the SEC, FCA and FINRA require firms to collect and store all business-related electronic communications data. Outside of the regulatory obligation, enterprises in a variety of other industries proactively collect and preserve employee and client communications data. This information can serve as a valuable source of truth in the case of potential legal and security risks, which many large companies consistently face. When analyzed, communications data can elicit patterns, trends and business opportunities as well.
The scope of that data has expanded widely and sometimes collides with tools commonly used by individuals for personal purposes. As more data is collected, companies must find innovative ways to discern between work-related and personal communications. Data privacy laws are expanding throughout the world and will be increasingly important as more of our lives take place online. The initial thrust of many data protection laws is to protect the rights of personal data. And companies that preserve and monitor employee and client communications are not exempt.
Addressing the risks in employee communications
According to a Gartner 2018 survey “The Future of Employee Monitoring,” more than half of large enterprises surveyed use “some type of nontraditional monitoring techniques,” including “analyzing emails and social media, gathering biometric data, and understanding how employees are using their workspace.” In a June 2020 blog post on the future of work trends, Gartner noted that 16% are using these approaches more frequently since the start of the pandemic.
Applying supervisory practices beyond the industry-mandated domain means opening the aperture to view policy violations and vulnerabilities across multiple functions and business processes. Legal, HR, infosec, audit and investigative teams are all engaged in spotting red flags that range from loss of intellectual property, security exposures and privacy violations, to a variety of workplace policy infractions.
Before the pandemic, each of these departments typically held their own budgets, risk priorities and tools. The result is a plethora of siloed approaches to managing risk and massive duplication of stored data and associated costs. As we’ve seen from some widely publicized communications snafus, digital communications are changing that dynamic:
- HR/Code of Conduct: McDonald’s sought to recover severance from its fired CEO over workplace affairs occurring over text and video calls
- Confidential information: Boeing employee chats and emails alluded to 737 Max design issues before two large-scale fatal plane crashes in 2018 and 2019
- Data leaks: Apple warned employees about leaking information to media via LinkedIn and Twitter, invoking potential legal action including criminal charges. Similarly, Tesla warned about leaks and fired an employee for sharing confidential information with journalists on Twitter
- Intellectual property loss: “Gigaleaks” (a term coined to describe leaks of private company information such as emails, source code and creative prototypes) over Twitter and Discord plagued Nintendo and worried other tech gaming firms
Consider that these examples arose while, on average, less than 25% of employees were working remotely. Similar mishaps will increase in frequency, variety and potential severity now that nearly everyone is working remotely. From every mobile device, on every downloadable app, and likely in many virtual meetings, individuals could be violating company policies at this very minute.
Distributed work environments elevate the need to understand the behaviors of employees to a level never seen before. The result has been more firms acting in unison to share resources, tools and business practices to identify and mitigate risk.
Managing risk and protecting data privacy
How can enterprises reconcile evolving privacy laws with risk management processes and regulatory obligations? To prepare for increasing data volume and variety while also focusing on data privacy, we recommend:
Understand your data: the sources, features, users
How does your company engage with customers? What are the tools being used by frontline staff? What personal data can staff collect using those communications tools? Consider analyzing network traffic and scanning corporate devices to uncover what is actually in use as employees are often not forthcoming about the fact that they may be using “unapproved” communications platforms for business conversations. Interactions and engagement now take place across a complex web of channels and devices. You should be aware of all the locations where personal information might ultimately reside and the various dimensions included within that data.
Update policies to reflect all sources used for business purposes
In addition to consent policies, ensuring that internal communications policies are current and reflect how personal data should be managed is central to any privacy mandate.
Train employees on GDPR, CCPA and other applicable requirements
Training programs should be built out specific to privacy regulations. Related to CCPA, providing users and data managers with an overview of requirements can remove ambiguity when it comes to the consequences of potential policy violations.
Tune oversight processes to reflect higher risk areas
Business conversations are happening in a multitude of places. Like traditional email or chat, collaboration and conferencing platforms and encrypted messaging applications should be centrally managed so IT can monitor and protect personal information across all channels.
Leverage AI/surveillance to uncover dark data locations
Without AI-enabled surveillance and compliance tools, companies may find it difficult to address the risks that lie within new and various communications channels. Advanced analytics, language models and surveillance technology can help extend oversight processes with precision — so that only the most relevant information is surfaced.
Employ a scalable, content-agnostic solution for communications preservation and monitoring
Without access to your communications data, it will be increasingly harder to manage and protect it. An end-to-end solution for capturing, archiving, supervising and analyzing today’s mixture and volume of communications that makes that data available to myriad applications via APIs is a critical tool for a modern, global enterprise. An organization with those capabilities can use data to safeguard the privacy of its customers and employees, prevent costly fines, and protect the company’s reputation.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.