Employees on file: How new data rules leave businesses exposed
We are experiencing drastic shifts in the way we work and how businesses operate, which has led to the rise of security and data privacy concerns from both inside and outside organizations. The recent story of Swedish multinational retail company H&M being hit with a monumental €35 million ($41.3 million) GDPR fine for illegally surveilling employees in Germany has startled the world.
According to Business Insider “This is the second-largest fine levied against a single company over data breaches after the EU introduced new General Data Protection Regulation laws in 2018.” What’s maybe more startling is that the fine focuses on the data collected on employees of the company. And while this example is a bit extreme, one has to wonder about the millions of employee files, which are kept on company servers around the world. The information collected in good faith by employers to better understand and engage their employees is quickly becoming a major risk to companies.
Add this to the growing list of data breaches affecting customer and user data and the severity of the situation is even direr. Last year, for example, even major corporations such as Facebook, Panera Bread and the Sacramento Bee experienced data breaches that put tens of millions of personal records into the hands of criminals.
Companies need to rethink and reinvent their strategies for online safety, data privacy and security of both their internal and external data. What’s more, is that we need to collectively prepare for future hurdles together in order to thrive in any given situation.
While GDPR is still mostly a concern for European companies, it is quickly becoming a template for how governments should hold companies accountable for the data they collect and are entrusted with. To get a broader perspective on the topic from various professional backgrounds around the world, we’ve engaged our BriteBirch Collective members to weigh in on the topic of data protection and privacy.
Raheel Qureshi - Partner, iSecurity Based in Toronto Canada
With more and more organizations leveraging the Internet to share and store data, the need for cybersecurity is more relevant today than ever before. Priority is placed on protecting client information to maintain the reputation and mitigate the financial implications of a data breach. Organizations are also driven by regulations that protect the data of the people they serve, for example in Healthcare, there are regulations to protect Personal Health Information of patients.
But what about the people who bring organizations’ products and services to life? Specifically, what onus falls on organizations to better secure their employee data, or to control the level of technology oversight or internal monitoring of their on-site or remote workforces? Without a doubt, there is a growing need to pay more attention to ensuring employee data privacy.
Client data privacy often ties into Corporate Social Responsibility and it is arguably becoming more important to treat employee data in the same way. Many organizations state that they take the security of employee data seriously, but only very few specify how they do so. Today, this is a differentiator across the industry. Employee trust in their employer breeds loyalty and retention. Public brand trust is also becoming more important for success in competitive product and service markets. As an overarching measure to achieve the above, a data governance strategy for the protection of employee data and its use is ultimately what organizations should be seeking to achieve. Currently, data governance strategies focus on client or business information management. It is time that we move beyond this as standard business and operating practice.
Maha Abu-Ghoush, Change Management Consultant based in Lebanon/Canada
Digital transformation is the process of adapting existing business practices to new digital methods, to increase efficiency and keep up with rapidly changing market demands. Implementing digital transformation is a challenge at the best of times but it becomes even more difficult when you have global and remote teams in your organisation and the information and data on employees, customers and other stakeholders is spread all over.
By taking an integrated approach to digital transformation implementation—linking interrelated workstreams, including business process reengineering, organizational change management, organizational design, and agile project management and especially data and security measures — companies will allow remote, virtual teams across the globe to work anywhere, anytime without the need for close micromanagement and/or continuous surveillance. Offering increased productivity, flexibility, adaptability and with a stronger grip on data security.
Shinwoo Kang - Founder of Artisan, a boutique consultancy company based in South Korea
Being a leading ICT nation, South Korea has for some time had in place a Personal Information Protection Act which mandates a similar scope/level of protection as GDPR, although the penalty for violation is much, much lighter. Perhaps thanks to such a rigorous regulatory framework, there’s yet to be a major GDPR violation case involving Korean firms.
There have, however, been a series of corporate scandals where businesses conducted illegal surveillance on their employees. Earlier this year, Samsung’s third-generation owner LEE Jae-Yong had to issue a formal apology for the conglomerate’s practice of monitoring employees who were deemed politically progressive in order to undermine efforts to establish a worker’s union; it’d been revealed that the company HQ had compiled a list of employees who were making donations to left-leaning NGOs. Samsung had for decades a strict policy of not allowing labour unions.
Companies will need to take heed of how they monitor, capture, share and secure the data they collect on employees, as much, if not more than on external stakeholders. If your employees don’t trust you, then your business won’t get very far.
Ronald Mincheff - Co-Founder of Talquimy and Global Comms Strategist based in Brazil
The Brazilian data protection law went into effect just last month. Due to the Pandemic, there were rumours of a possible postponement to 2021, but with the approval in the Senate and, subsequently, presidential sanction, we saw a movement from brands requesting user approval to their updated terms of social use.
Experts say that this legal framework has a similar importance to our Consumer Protection Act. Effects have already appeared in the same month of its validation, registering a conviction for Cyrela, a large real estate company, which was forced to indemnify a client in 10,000 reais (USD 2,000 +/-) for sharing his personal information with third parties.
As with everywhere else, companies must consider all the data at their disposal and safeguard it as though it was their own. Companies in Brazil, in South America, anywhere in the world are not exempt from the responsibility.
As Raheel states: “GDPR in Europe is setting the bar high. At this point, North America and other regions are not governed by the same requirements – however, there is a real benefit to considering the enforcement of fines should organizations of certain sizes not implement technical security controls for the privacy of the people who play a key role in their success.“
If you would like to leverage the power of perspective for your business, please reach out for a conversation to learn more about how we curate unique teams to solve modern business challenges.