​Transparency key to navigating modern employee monitoring risk landscape

The opening session of Compliance Week’s virtual Cyber Risk & Data Privacy Summit on Tuesday addressed these challenges in the context of the modern threat environment. The physical workplace has been phased out for many businesses for the foreseeable future, leaving managers and executives with less visibility into their employees’ working habits. While artificial intelligence (AI) and other tools seem a simple solution to this problem, the burgeoning data privacy law landscape creates a series of pitfalls for companies to navigate.

“They all impact the use of [monitoring technology]; it really just depends on the countries where you do business,” said Evan Bates, director of product management at privacy management software provider OneTrust, regarding the California Consumer Privacy Act (CCPA), the European Union’s General Data Protection Regulation (GDPR), and other privacy legislation to take effect in recent years. Putting a strategy together that takes the requirements of each law into consideration is the best place to start, he said.

The most general approach to take, regardless of region, is one of transparency, added Ian Amit, chief security officer at cybersecurity software firm Rapid7. Ensuring employees are aware of what information is being collected on them, where it is being stored, and for how long can help reduce worker concerns that their data might be used against them.

“You don’t have to hold all the data in order to continuously analyze it,” Amit said. “… In that way, you’re minimizing the impact and exposure to legal and regulatory requirements, maintaining privacy, and establishing better trust relationships between yourself and employees.”

Through that trust, said Amit, comes the most important element of compliant employee monitoring: consent.

“It makes the whole process much more effective, and you also see a higher rate of (employees) providing attestation and willingness to be included in that monitoring system if they actually know what it’s used for,” he said. “You can reduce the Big Brother aspect of it.”

Businesses need not look far to find examples where playing Big Brother has led to big fines—perhaps most prominent in recent memory being the €35.2 million (then-U.S. $41.3 million) penalty retailer H&M was ordered to pay in Germany in October 2020 for excessive monitoring of employees in violation of the GDPR.

Pick your battles

A survey at the start of Tuesday’s session polled audience members on their use of AI to oversee employees and monitor external threats. Nearly three-quarters of respondents (71 percent) said they are still exploring AI projects for each use case.

To help with determining where to use technology for monitoring purposes, Bates and Amit each advised considering alternatives first. Can you get to the same outcome by setting performance baselines for employees to meet? It might not be worth focusing attention on how long it takes a worker to complete a task if the task is still done within a reasonable timeframe.

“Look at the results, don’t look at the process,” said Amit. This approach proves especially relevant in cases where employees are not using computers.

Further determinations on proper technology use can be made through continuous audits. “You may want to consider how frequently you’re testing those controls to make sure they have the correct service uptime and reliability you need as a business,” said Bates.

Managing external threats

Consumer pressure for businesses to know what their vendors are doing is on the rise. To meet this “monumental task,” new technology is a valuable difference-maker, said Bates.

For example, environmental, social, and governance (ESG) requirements coming into effect in some parts of the world might require tracking Scope 3 emissions generated by third parties in a company’s supply chain. This data, arriving in different formats and languages, can be more easily processed through AI-based tools, Bates said.

Amit added, “If your supply chain is very large and you have a lot of data points to use from different suppliers in different countries, it’s a classic use case for employing AI to identify anomalies and differences in tracking vendors throughout their lifecycle and making sure they are compliant.” Determinations can then be made depending on which third parties increase or decrease the company’s overall risk, he said.