The massive and abrupt shift from employees working in the office to working from home due to the COVID-19 pandemic has not only presented logistical and cybersecurity concerns for businesses, but it has also created unintended risks to data privacy.
As companies focus on being productive and profitable, it is vital to reduce the data privacy risks that may negatively affect their businesses. Here are three strategies companies can implement now to protect private data better and help employees thrive while working from home.
Remove IoT Devices from your Workspace
IoT devices, like smart speakers, which have IP addresses and are connected to the internet, are listening devices that are always in listening mode, even when people are not directly interacting with the devices. It is essential in work situations at home when an employee discusses sensitive or confidential information that they are not being listened to or recorded by IoT devices. These audio records are used for training and other analysis by the makers of these devices and may not be held in a confidential manner. The use of these listening devices is voluntary, so the consent of the user is assumed from a data privacy perspective.
Conversations overheard by listening devices become the property of the company providing the IoT service and are out of the control of the employer and the employee. When working from home, employees should disconnect or relocate these IoT devices out of areas where sensitive information is being discussed. This will reduce the risk of data being unintentionally recorded or intercepted.
Beware of BYOD Policies
Even before COVID-19, “Bring Your Own Device” policies at the office were a huge point of contention between companies who wanted better control of data in their organizations while acknowledging that BYOD policies save money for the company who need not incur the hardware investment. Due to the need for companies to ramp up work from home systems quickly, many have allowed even more employees to use their desktops, laptops, mobile phones, and tablets to login to company resources.
When employees use their own devices, sensitive company data might be replicated or stored on an employee’s personal devices, which creates a lack of control by the company of their data. Companies must establish best practices to allow BYOD while minimizing data privacy risks. When possible, companies should develop workflows to prevent company data from being saved to or stored on the devices of employees. Companies can do this by implementing VPN access to networks, establishing designated locations to save documents or collaborate on documents, minimize printing of sensitive or confidential materials, and develop plans to remove sensitive documents from employee devices if needed.
Limit the Collection and Retention of Employee Health Data
Companies concerned with the wellbeing of employees during the COVID-19 public health crisis are now in a position to collect health-related information about employees, which would otherwise have only been shared in a doctor / patient medical setting. Even when employees are working from home, employer health inquiries and the retention of employees’ healthcare data can create a unique data privacy challenge.
For example, sharing the health status of an employee with other employees may violate the privacy rights of the individual. Employers who track wellness and things like biometric data using apps can also cause data privacy issues if it is not clear to employees how this data is used and when the company should delete the data. If companies must collect this data, they should be transparent with employees on how their health data will be used and how long it will be retained. Having the ability to minimize data collection and delete data once it is no longer needed is key.
Finding ways to deal with the unintended data privacy risks that arise from employees working from home are challenging but taking proactive steps to address IoT devices, BYOD hardware use, and the retention of employee health data are the things that companies can implement today to reduce the risk of data privacy challenges.