4 Steps to Leverage Monitoring Analytics and Insights to Secure Data While Protecting Employee Privacy

Posted on by Isaac Kohen

Companies from the UK and the EU to North America are in a tough spot. Now that GDPR is in full effect, and CCPA will soon be underway, every organization is explicitly charged with protecting user data and responding appropriately when a data breach occurs.

That responsibility has never been more challenging.

Case in point, earlier this year, the European Data Protection Board (EDPB), an independent oversight committee created as part of the GDPR regulations, released its first annual report on data breaches within the EU. In addition to levying $63 million in fines, the EDPB counted 65,000 data breach notifications in the law’s first nine months.

It’s no wonder that there is a veritable exodus among IT security leaders globally. According to a recent survey, 82% of IT personnel feel burned out, and more than half consider quitting their job. Perhaps most notably, 63% of respondents are considering leaving the industry entirely.

Indeed, today’s digital landscape is replete with threats from every angle, and in many cases, a company’s own employees are one of its biggest threats. As a 2018 study by the Ponemon Institute highlighted, “Data breaches caused by insiders increase in frequency and cost.” The specific tallies can vary, but accidental and malicious data misuse is undoubtedly on the rise.

While more invasive and in-depth control over employee's technology might seem like an obvious solution, employees still have legal privacy rights, and no company wants to destroy employee morale by conducting unnecessary or excessive oversight.

Instead, companies need to strike a balance. On the one hand, they absolutely have to protect their customers’ data, and, on the other hand, they need to preserve their employees’ privacy. Fortunately, these competing obligations are not antithetical to one another.

Here are four ways to leverage analytics and intelligence from monitoring insights to secure user data while protecting employee privacy.

#1 Pick Your Purpose

Employee monitoring is becoming increasingly common among companies of all sizes, and its capabilities are more expansive than ever before. Today’s monitoring services offer comprehensive analytics on all types of metrics, something that can provide an incredible benefit while also requiring unique intentionality.

For instance, companies can deploy monitoring software to assess productivity, to ensure data security or even to develop a data-driven approach to things like customer service.

Regardless of the ultimate purpose, most experts agree that less is undoubtedly more. At the same time, several GDPR articles prioritize minimization, making specificity a top priority. And because any personal data collected through monitoring activity must be justifiable, every company should work to ensure parity between purpose and practice.

Therefore, be clear about the purpose of monitoring to ensure that the arrangement is justified and that real benefits will be delivered.

#2 Consider the Implications

It’s possible that employee monitoring can harm employees, and companies need to understand the risks before they begin. What’s more, any adverse consequences must be justified by the obvious benefit to the employer.

In the UK, the Information Commissioner’s Office recommends that companies considering implementing employee monitoring solutions conduct a Privacy Impact Assessment that helps organizations understand how their priorities might impact their stakeholders.

In addition, GDPR Article 35 explicitly charges companies to consider the implications of their data collection initiatives, something that can have significant long-term payoff for companies that avoid data disasters later down the road.

It’s possible that there are better alternatives to monitoring employee data, and, at the very least, companies can embrace this approach knowing that they have measured its impact on their employees, which will make it significantly easier to communicate to their stakeholders.

#3 Communicate with Stakeholders

In many highly publicized criticisms of employee monitoring initiatives, the practice is likened to spying, an unwarranted and secretive assessment of workers’ viability in the digital age.

However, companies dispel this myth when they communicate with stakeholders about the purpose and scope of their monitoring activities.

Although it might be tempting to catch potentially malicious users with secretive surveillance techniques, there is obvious and inherent value in deterring these crimes in the first place. Moreover, this scenario puts companies in a legally dubious situation that doesn’t support employee well-being or a positive workplace culture.

If an organization adapts monitoring technology that is too complex for them to explain to their workers, unions, representatives or other stakeholders, then they need to go back to step one before implementation.

For example, companies should be able to convey:

  • the purpose of monitoring, 
  • how monitoring will take place,
  • when it will occur,
  • what will be done with the information collected.

When clear communication and an open feedback loop is established, companies can best derive the benefits of employee monitoring without compromising privacy or culture.

#4 Choose the Right Approach and Use It Effectively

Choosing the right approach can make all the difference when trying to protect employee privacy.

We’ve come a long way from the one-size-fits-all software approach that defined the early days of employee monitoring. Today’s monitoring software is comprehensive but also configurable, allowing organizations to be selective in their oversight, ensuring they comply with their own regulatory requirements for data privacy.

Specifically, this might include features like auto-redaction, which ensures that an employee’s personal information is never viewed by company officials. Similarly, monitoring restrictions based on task, application, location, time of day or even by user behavior can appropriately restrict the amount of information collected, ensuring only relevant data is captured.

Successfully navigating today’s digital ecosystem can be hazardous, and companies have a big job ahead of them. However, they are not without the modern protocols to help make the job more manageable. 

Isaac Kohen

CTO and Founder, Teramind

Analytics Intelligence & Response

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community