Data privacy professionals know that much of their energy is focused on the external aspects of their privacy program, but companies cannot neglect the privacy and data protection concerns of their employees.
In fact, an increasing number of corporate professionals are calling on their companies to prioritize the protection of their personal data.
An Accenture study found that 64% of employees said recent scandals over the misuse of data have led them to question whether their own personal data is at risk. Additionally, more than one in two workers said they’d consider leaving an employer that didn’t use workplace data responsibly.
Arguably, the information companies collect from their workforce is becoming more personal in nature, such as data related to coronavirus cases and benefits information surrounding abortion services.
The argument has never been more clear for companies to implement consistent and transparent policies around employee data protection. Let’s dive into where to begin.
The importance of gaining employee trust
As part of Accenture’s report, Ellyn Shook, the company’s Chief Leadership and Human Resources Officer, said that when it comes to workplace data privacy, responsible leadership is key to building employee trust.
“Trust is the ultimate currency.”
Ellyn Shook, Accenture
Employee trust can also serve as a vital tool in fostering a positive culture around privacy, according to Richard Purcell, who is often referred to as the pioneer of data privacy.
Purcell was appointed as Microsoft’s first Chief Privacy Officer in 2000 and later founded Corporate Privacy Group. He also served as the Chair of the DHS Privacy Advisory Committee.
He told the Data Privacy Board that it’s important for employees to see that the benefits of their company’s privacy policies extend past the customer base.
He said, “The first and foremost thing everybody should do in a privacy program is develop a component of the privacy program that’s specifically for employee data.”
From your healthcare information to your address and spouse’s name, your company holds a great deal of personal data, and employees should know how well protected it is. Communicating this to employees will further support your goal of getting the enterprise to fully embrace your privacy program.
“If you believe that the company is looking after your information, it’s easier for you to believe that you should look after your company’s information as well,” Richard said.
How to outline clear and consistent policies
In order to earn employees’ support and confidence in data privacy, Cécile Goerges, Vice President and Head of Global Compliance at ADP, said establishing sound and consistent protocols is critical.
In an ADP article by security and compliance writer Paul McCormack, Cécile discussed the heightened importance of workplace data privacy amid the coronavirus pandemic. She advised companies to be upfront with employees about the data they’re collecting and why.
She said, “Clearly define the purpose and be transparent about the type of information you plan to collect and analyze.”
But transparency remains a vital tool outside of pandemics. The data privacy program must ensure they’ve implemented formal consent policies with a plan to review them on a regular basis, according to Rehan Jalil, CEO of cybersecurity and data protection infrastructure firm SECURITI.
In a Forbes article, Rehan said companies must disclose to employees the personal data they collect and process. Employee data privacy policies should also include how the data is being used, how long it’s being retained, and where it’s being stored or shared.
“The best way to do this is through transparent formal consent policies that are easily accessible and understandable, as well as compliant with all relevant laws,” Rehan wrote.
Additionally, Rehan said companies are obligated to provide training to ensure employees understand their own data privacy rights.
According to TechTarget, frequent employee privacy concerns include:
- What personal information is being collected and why
- Email privacy
- Whether the use of company assets (such as mobile devices) is being monitored
- What happens to their personal data after they no longer work for the company
- Whether they must submit to background checks or drug tests
- Whether their use of social media outside the company is being monitored
The information protected can range depending on the sensitivity of the data and the location in which the enterprise is operating.
Ensuring compliance with laws and regulations
Knowing and understanding privacy laws and regulations is a fundamental component of addressing employee privacy concerns.
TechTarget explains that certain forms of sensitive data — race, political opinions, sexual orientation, etc. — are given enhanced protection under privacy laws such as the General Data Privacy Regulation (GDPR) in Europe.
In the U.S., most states have laws concerning data security and data breach notification, primarily focused on identity theft and financial protection, according to TechTarget.
But some U.S. states have enacted stricter privacy regulations including the landmark California Consumer Privacy Act (CCPA) of 2018, which gives consumers more control over the personal data businesses can collect.
Similarly, Colorado, Connecticut, Utah, and Virginia have also passed comprehensive data privacy laws, per the National Conference of State Legislatures.
This trend of new data privacy regulations is expected to continue, and it’s critical that companies remain compliant.
In a rapidly evolving space like data privacy, it can be helpful to benchmark with privacy professionals at similar organizations.
The Data Privacy Board helps privacy leaders at the world’s biggest companies — Expedia Group, USAA, FedEx, and more — get fast answers to their toughest questions by connecting them with peer practitioners in a confidential, vendor free community.