Employees need to be data conscious
BY EDWIN CONCEPCION Edwin Concepcion is the Philippine country manager at Straits Interactive, a leading data privacy consultancy across the Asean region.
The Manila Times
Sunday Business & It
EVER since the Covid-19 pandemic turned the world upside down, upending our concepts of what work is, where and how it could be conducted, and whether we need traditional workplaces at all, organizations have grappled with the right approach to take. Some organizations have started to insist that employees ret”rn to the office full-time, back to the way things were pre-pandemic, while some have embraced a full remote arrangement with their staff, leveraging video conferencing and other digital collaboration tools to conduct work as usual. Then, there are the organizations that rotate their staff from home-based and office-bound schedules periodically or allow them the flexibility to shuttle between the two schedules. One of the chief concerns of organizations, when they were compelled to adopt work-fromhome arrangements, was the worry that productivity would dip; they worried that staff would not perform at optimal levels if they were not supervised as they would be in the office. Kevin Shepherdson, CEO of Straits Interactive, called this the “Don’t Watch Netflix” Employer Syndrome. “Many employers may be concerned whether their employees are really doing work at home,” so they resort to surveillance technologies, some of which may be overly intrusive — taking screenshots or recording staff behavior on the computer — and inadvertently collecting personal data. “[As an employer] yo” need to take this surveillance into account as part of your data protection and privacy practices.” I agree with his assessment that productivity has been a top priority in this new normal. In fact, I experienced such surveillance myself even within the office. At my previous employment, the other employees and I had to provide our fingerprints, have our photos taken and key in our employee ID codes every day. There’s definitely a lot of monitoring and even CCTVs installed to watch the workstations. However, just as Kevin has brought up surveillance, there are significant data privacy and data protection concerns that need to be addressed. Good habits needed Many people may think that having a good info security system would shield your organization from the multiple risks that exist when it comes to securing your organization’s assets and systems. You could have security without privacy, but you could not have privacy without security. What this means is that you may have excellent info security, but you may not be compliant with data privacy laws, such as the Data Privacy Act, or DPA, of the Philippines. So if your organization is both privacy — and security-aware, you would want to extend this posture to staff who operate outside of your office environment — and this could be challenging to enforce when you have a portion of your workforce conducting business operations at home or in remote locations. In Filipino culture, we like to share everything we do with others, whether on social media or with family and friends. In so doing, many of us do not consider the implications of our actions, whether our own personal data and that of others are being exposed. For example, home-based or remote workers may have to handle their customers’ personal data. At the office, the following good practices are highlighted and put in place: 1. Respect the confidentiality of data by not sharing it with coworkers or non-employees who have no legal right to view and use the data. 2. Don’t keep records of the data, such as by taking screenshots or even selfies. 3. Keep customer engagements or conversations private — this is especially pertinent as a recent TikTok trend has Business Process Outsourcing (BPO) staff publishing their interactions with customers. 4. Don’t click Reply All or CC when you don’t intend to — this might expose personal information and reveal email addresses that could raise the risk of phishing attacks. Meanwhile, some additional risks include becoming the subject of phishing attacks, accessing work systems and data ”sing personal devices and unsecured home networks, using weak passwords, and not using encryption when sharing files and sensitive information. For employers who could not monitor this behavior and reinforce good practices, this poses a significant challenge. While the Data Protection Officer (DPO) and IT staff could highlight these good practices, staff that handle personal data also play a vital role in safeguarding such data. DPOs and company leadership need to prioritize employee training and education on best practices, implement the use of complex passwords and multi-factor authentication, conduct regular risk assessments, and implement protocols and policies that address the identified risks. Manage your vendors Today, with more business processes being outsourced, and more of these outsource partners also adopting work-from-home or remote working, this is a wake-up call for companies to review their vendor management practices. Doing adequate due diligence without fail is important to ensure that your prospective vendor does not introduce data protection gaps and risks into your organization’s operations. For example, on the production floor of a BPO, staff are not allowed to bring any personal mobile devices because they are prohibited from capturing any confidential and sensitive information. In a work-from-home or remote setting, it would be difficult to implement this type of control. It’s about people According to a recent survey, nearly 80 percent of Philippine firms have been hit by data breaches over a recent 12-month period. These breaches have resulted in the leak of sensitive and confidential data such as credit card details, passwords and other personally identifiable information. The report highlighted that the majority of these breaches are a result of human error, such as the lack of security awareness training and weak passwords. Working from home, remotely or having a hybrid arrangement, aren’t the only reasons for such a rate of data breaches which is about 20 percent higher than the global average, with the majority of s”rvey respondents losing up to $100,000 and as much as $500,000 due to such breaches. The bottom line is this: businessas-usual now encompasses homebased and hybrid working. Not all organizations could now compel all staff to return to the office. The key is for organizations to focus on employee behavior and inculcating good habits. Look at the persistent habits that lead to risk and exposure and prioritize training and sufficient supervision to ensure these are replaced by best practices. Put policies and codes of conduct in place, otherwise, organizations faced with a data incident are unable to sanction staff or take the necessary corrective action. When it comes to training, instead of focusing purely on the law, focus on what your staff should do well. Basically, teach them to protect personal information. Lastly, one way to reduce the incidence of breaches is to minimize the amo”nt of data yo” as an organization are collecting, such that you have the legal basis and truly need the data to conduct your business operations. This way, you won’t simply be focused on putting up more walls around your data, your business and your staff. Reducing the amount of data you collect, and knowing what you collect and use, makes the task of protecting it more manageable.