Insider initiated data breaches are at an all-time high, with all evidence pointing to increased data exposure for the foreseeable future. Organizations around the world continue to turn to technology-based solutions to identify, document and stop data exfiltration attempts and data breaches. There is, however, some concern that these solutions may create a potential conflict with employee and consumer privacy rights.
The General Data Protection Regulation 679/2016 (GDPR) was implemented in May 2018, with the goal to ensure data privacy rights of European nationals against all entities collecting and leveraging personal data, with severe financial penalties in the event of non-conformance. To ensure conformance, organizations turn to technology solutions to implement oversight and to ensure appropriate audit and forensics tools are in place in the event of a breach or violation, with the ultimate goal to protect their customers’ and employees’ data.
How should executives and law enforcement officials effectively weigh the demands to control and protect their businesses while protecting legitimate privacy rights of employees and others whose personal data is being threatened? Insider threat and data loss prevention are complex problems and there is no one simple solution that works best in all situations. Clearly, however, employers are turning to data loss prevention and workplace monitoring to address these concerns.
Best Practice #1: Understand general principles for monitoring
Article WP 29 (a group of representative data protection authorities from across Europe) and EDPS (the European Data Protection Supervisor) have commented on the imbalance of power between employers and employees. Given the imbalance between the power of employers when compared with the power of employees, employees can only give free consent in exceptional circumstances and so, their consent should not be the sole legal basis for employee authorization.
- Employees do not lose their privacy and data protection rights at their office door. This means that a country’s privacy and data protection laws are likely to apply to workplace monitoring.
- Employers should be clear about the purpose for monitoring and satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered.
- Any limitation on the employee’s rights to privacy should be proportionate to the likely damage to the employer’s legitimate interests. Or, conversely, monitoring must be proportionate to the likely damage to the employer’s legitimate interests.
- If monitoring is to be used to enforce the organization’s rules and standards, make sure that the rules and standards are clearly set out in the policy which also refers to the nature and extent of the associated monitoring. Assure that workers are aware of the policy.
- Workers should be aware of the nature, extent and reasons for monitoring unless there are exceptional circumstances and covert monitoring is justified.
- Identify who within the organization can authorize the monitoring of workers and ensure that they are aware of their responsibilities.
- Any monitoring must be carried out in the least intrusive way possible.
Best practice #2: Identify the purposes for monitoring
Identifying the purposes for monitoring is necessary and will almost certainly be required in order to negotiate with employees, works councils and data protection authorities. A company considering employee monitoring or data loss protection solutions should take the time to understand the company’s data flows – what personal or confidential data are used, how and by whom. A data inventory must also identify any sensitive personal information and determine what policies may need to be implemented in order to properly protect such data. The information gathered from the data inventory should be used to demonstrate to management the risks of failing to properly protect data and identify how monitoring and security technology will assist the company in meeting its goals.
The inventory obtained from an inventory of data flows should also be used to identify the company’s greatest areas of risk and the prioritizing them. A company should choose a monitoring, threat detection and data protection technology that can assist in identifying specific risks related to: (i) the users of the data (endpoint), (ii) the repository where it’s stored (data at rest), (iii) the channel of transfers (data in motion) and (iv) the context or use case of why the data is collected in the first place.
Best practice #3: Monitoring must be proportionate
In order for an employer to judge whether the monitoring is a proportionate response to the problem that it seeks to address, it must consider a number of factors, such as:
- Identifying clearly the purposes or uses cases behind the monitoring arrangement and the benefits it is likely to deliver
- Identifying any likely adverse impact of the monitoring arrangement
- Considering alternative to monitor or different ways in which it might be carried out
- Taking into account the obligations that arise from monitoring
- Judging whether monitoring is justified
Once a company has the information from the Data Protection Impact Assessment, it will be in a position to ensure that the proposed workplace monitoring solution is proportionate to the risks the employer seeks to manage. This information should be documented and available to works councils, trade unions or other representatives of your employees.
Best practice #4: Consultation
It might be tempting to monitor your employees without their knowledge. It may even be warranted. However, many believe that informing employees of monitoring will deter employees from committing malicious or possible criminal activity. It’s highly likely that you will get better results if you are open about your monitoring intention and bring your employees onboard from the beginning. From a legal point of view, whether you must engage in such consultation will depend upon a number of factors, including the laws of your country, the size of your company and the existence of any collective bargaining agreements.
It is important for employers to understand the technology they have chosen for monitoring. It is equally important that employers be able to explain to the workers, their unions and other representatives how the monitoring will impact them. Remember that in many countries, workers have the right to participate in decisions that impact the conditions of work. In addition to consulting with the workers and their representatives, it may also be necessary to provide such explanations to the appropriate data protection authorities.
Consultation should include discussion of the purposes for monitoring, how monitoring will take place, when it will take place, when it will occur and what will be done with the information collected during the monitoring. If monitoring will involve managing the work habits of employees, then you should be prepared to explain why this cannot be accomplished by means other than automated monitoring. If, however, monitoring is intended to protect company data, employee and customer information or other confidential data, you should be prepared to demonstrate why the use of automated DLP technology is less intrusive than having human intervention. This is particularly important in situations where personal email may be included in information that is subject to monitoring.
Best practice #5: Implement technology that fosters compliance
When making a choice of your company’s employee monitoring or DLP solution, you should keep in mind how the technology addresses the privacy and data protection requirements for workplace monitoring and security. The good news is, modern employee monitoring software are designed for such flexibility. These solutions allow customers to effectively monitor the use of confidential information and boost productivity while safeguarding employee privacy. This is accomplished in a number of ways: (i) compliance with notices and policies, (ii) legitimate purposes and proportionality, (iii) access on a need-to-know basis, (iv) targeted monitoring, (v) data integrity/accuracy and (vi) security.
Best practice #6: Understand the monitoring laws of each country
Data protection laws vary among the states, even among the member states of the European Union. To further complicate issues, there just are not a lot of judicial decisions, regulations or legislative guidance in several countries to help guide compliance. This makes it more important for companies operating in these jurisdictions to have a full understanding of the relevant laws and risks. This includes an understanding of the risks of opening employee emails and other forms of communication. Employers who want to monitor must be able to fully comply with the privacy laws and regulations as well as the telecommunication requirements.
The headlines make the point that government officials may impose criminal and/or civil actions for the breach of these requirements. These sanctions may be imposed against individuals as well as organizations. The fines must be effective, proportionate and dissuasive for each individual case and they can be substantial. For the decision of whether and what level of penalty can be assessed, the authorities have a statutory catalogue of criteria which it must consider for their decision. Among other things, the intentional infringement or the failure to take measures to mitigate the damage which occurred, or lack of collaboration with authorities can increase the penalties. For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of undertaking, up to 4% of their total global turnover of the preceding fiscal year, whichever is higher.
To proactively address data loss while minimizing privacy risks involved in employee monitoring, contact our specialists in workplace monitoring or find out more about modern solutions essential during remote working.
White paper by Teramind