The need for personal privacy is a basic instinct, but we are also social creatures and modern technology is exploiting that, Baroness Sharmi Chakrabarti said at conference in November 2018.
The former director of Liberty civil liberties group told delegates at the CIPD conference in Manchester: “There are huge risks when it comes to communicating online and our digital imprint is seriously compromising us.”
Social media and personal privacy is, she said, something that is very tricky for employers to navigate. “It’s an asset but a liability too. I generally advocate more trust and less snooping but employers need to have a conversation with employees about what is and isn’t acceptable.”
Tech providers, such as Facebook and Twitter, also had an ethical responsibility to look after people’s virtual safety and ensure that people weren’t vilified or subjected to online trolling, the barrister said.
Protecting your privacy at work
Paul Bischoff, editor of Comparitech website, said that there are a number of ways employees can compromise their personal privacy, and that of their employer. “Employees who log into social media, shopping websites, and other accounts on office devices might not realise that their activity can be monitored and recorded by their employer, even when those devices are taken off company property,” he notes. “On top of that, accidentally leaving an account logged in or saving your login credentials to a work computer can leave openings for other in the office to invade your privacy.”
Employees should be aware of the lawful extent of employment background checks and at-work surveillance, Bischoff says. “For example, employees are not required under any circumstance to give an employer the passwords to their social media accounts.”
Implementation of a data protection policy
When it comes to implementing a data protection policy, there are four key things which should be considered. “What information is collected, how it’s used, who can access it, and how long it is retained,” Bischoff explains. “The first point is pretty self-explanatory. Employees and customers alike should know their data is being used and the context under which it was collected.
Access should be limited to the minimum number of people possible, and employees need to give opt-in consent for their information to be shared with any third parties. Finally, personal data should have an expiration date. When data reaches the age limit, or when a customer or employee leaves the company, their data should be deleted.”
Why millennials and Generation Z are most at risk
Tom Tahany, intelligence analyst at Blackstone Consultancy security specialist says millennials (those born between 1981-96) and Generation Z (1997 onwards) are the ones who are most at risk of flouting privacy regulations.
“Journalist Marlo Stern, writing for the Daily Beast, coined the term ‘generation overshare’ to describe how the younger generation posts vast amounts of data online,” he notes. “From sources such as Facebook, Twitter and Instagram it is possible to chart enormous sections of an individual’s lives, from where they shop to where they holiday and even discover details about their daily routine.”
Under the revised General Data Protection Regulation (GDPR), which came into force on 25th May 2018, companies must also use ‘appropriate technical and organisational security measures’ to protect the data they collect on employees against accidental loss, disclosure or unauthorised processing.
Sean Potter, content manager at Evoluted digital agency says: “In addition, people will be allowed to request for valid updates to be made to any information held about them at any point.”
Maintaining GDPR for employees
In data terms, your organisation is what’s known as the ‘data controller.’ Potter explains: “This means that the responsibility for compliance is placed firmly at your door. To prove compliance with GDPR, you will need to maintain ongoing records. You’ll also need to put policies in place for governing the collection and use of data.”
Some companies, especially larger organisations, outsource GDPR to as Data Protection Officer (DPO).
“This would provide you with a dedicated employee with extensive GDPR knowledge – and also the time to handle all potential time taken up by the area (removal requests, requests for information held, knowledge shared throughout the company etc.)” Potter says.
“Only you can decide whether a DPO is right for your company. The amount of data you handle may be the deciding factor.”
Georgina Fuller is an award winning freelance journalist and editor.