In a GDPR world, how can companies protect employee data?

By Alix Pressley

Patrick Van der Mijl, Co-Founder and Chief Product Officer, Speakap, discusses potential threats to organisations over non-compliance with GDPR. 

On May 25, 2018, the EU GDPR officially came into effect. This data privacy regulation, which has transformed the digital landscape, overhauled how companies collect, store, process and remove data.

But according to a recent poll by IT services firm, Bluesource, three-fifths of IT executives across over 200 large UK organisations said their employees pose the biggest threat to GDPR compliance. As unfortunate as this finding is, it’s not that surprising given how commonplace it’s become for employees today to use multiple communications tools such as messaging apps, social media and more. And as our own research indicates, this isn’t simply happening in employees’ personal lives – it’s happening in their work lives too. In fact, 53% of the surveyed frontline workers in our study said they use messaging apps such as WhatsApp and Facebook Messenger, for work-related communications up to six times daily. Meanwhile, 16% of the respondents admitted that their HR departments were unaware of such usage.

The scenario I’ve described poses numerous threats to organisations. For one, it makes it incredibly difficult for their HR departments to gain proper visibility into the technology and tools being used by employees to communicate with each other and share highly sensitive, even classified, information and documents. But if those unapproved tools, such as WhatsApp and Facebook Messenger, aren’t secure in themselves and have experienced data breaches in the past, it puts the organisation’s data privacy and GDPR compliance status in serious limbo. This isn’t something any organisation can afford to let happen, given the hefty fines of 4% of an organisation’s annual turnover being imposed for violation of GDPR.

This brings me to an important question – what can and should CIOs be doing to ensure that all employee data is processed and handled in a secure manner? Before I go any further, it’s fair to say I appreciate internal communications does not fall under a CIO’s remit – it’s usually owned by HR, internal communications or marketing. However, CIOs are responsible for the digital infrastructure of a company that supports enterprise goals. Communication tools (be it email, employee communications platforms, HR technology and other technologies) comes under this and ultimately all departments want to see a healthy balance sheet. Disengaged employees will not enable this, as turnover is an expensive loss to accommodate.

So now I come back to my earlier question. What can and should CIOs be doing to ensure that all employee data is processed and handled in a secure manner?

Ask the right questions before implementing new technologies

As a CIO, it’s important to ask the right questions when you’re considering purchasing and implementing SaaS software or technologies that will be used by the employees across your organisation. If you don’t ask the right questions, you could miss out on an important detail, such as the fact that a vendor you’re considering suffered a massive data breach, which left its customers’ data exposed and vulnerable.

Some questions I would ask include:

  • What specific steps has the vendor taken to prepare for GDPR, as it relates to their software?
  • Beyond the standard certifications, how detailed, comprehensive and tested are the vendor’s data management and security measures?
  • How will the vendor help your organisation respond to data subject or data removal (‘right to be forgotten’) requests?
  • What does the vendor do to ensure all employee data is removed from their platform if/when the customer ends their contract/relationship with them?

Audit – and get to the truth – of what other communications tools employees may be using

This is where cross-department collaboration will prove critical and valuable in ensuring GDPR compliance. It’s important for the CIO, CHRO, CTO and COO to all work together to review, analyse and assess the current state of security across the organisation. This can’t be achieved from one single task or in a week’s time. It will take some time; it will require multiple methods to collect and analyse what’s truly happening and what tools are being used in actuality among the workforce.

It’s extremely necessary for this cross-department collaboration to happen. Otherwise, it will be tough to get the full picture and know what’s really occurring. If you think I’m being pessimistic, think again. Just look at the data from our study and scenario that I previously illustrated – 53% of frontline workers confirmed they use unapproved messaging apps up to six times daily without their HR department’s knowledge. If this is occurring within organisations that have frontline workers who don’t sit in front of a computer and don’t have company email addresses, the damage caused by this ineffective data handling and eventual GDPR non-compliance could be far-reaching.


This article originally appeared at http://www.intelligentcio.com/eu/2019/04/01/in-a-gdpr-world-how-can-companies-protect-employee-data/