As GDPR turns two and with CCPA live, it's time to talk about data privacy at work

A few months ago, the General Data Protection Regulation (GDPR), Europe's stringent and ambitious law protecting data privacy, turned two years old. While many companies have accepted the law as a sign of changing times, others seem to be doing the bare minimum to adhere to its requirements, especially those whose business models are built around selling and trading user data. 

GDPR's reach extends beyond Europe, affecting any company that does business with European citizens or businesses. California's landmark Consumer Privacy Act (CCPA) took effect at the beginning of 2020, even as Google and others attempted to weaken its language and create exemptions for their own financial gain. While the legislation is a big step toward educating everyday people on the ins and outs of how and when their data is being used, few think about how their online activity at work may also have implications for their personal data privacy.

In both GDPR and CCPA, fines have been rare and when they do occur, relatively cheap. Until the fines and the monetary implications become more severe for tech companies, data privacy, particularly employee data, hangs in the balance.

Take, for example, a common situation in which employees use a communication app to chat with team members and other colleagues. In most cases, people at the decision-making level are not transparent about the fact that, even if employees think they are having a private conversation with a colleague, they may be exposing the content of their messages, their usage data, personal information, or all three, based on the communication app's privacy policies. If you look at the fine print in the privacy policy of Slack, for example, employers are permitted to access 'private' colleague-to-colleague messages, without having to notify employees.

Another way customer data is made vulnerable in B2B exchanges has to do with trackers. Companies that pay for advertising want to know whether their investment in outside marketing is translating to leads and increased traffic. This is why most software vendors work with third-party tech companies like Google, Facebook, Twitter and LinkedIn, among many others, to get analytics data on their customers, users, and prospective customers. This quid-pro-quo between businesses is problematic, and hopefully we are moving toward a future in which vendors hold their customers' privacy above benefits wrought from tracking and exchanging their behavior.

It's one thing to track the personal online activity of a user; however, it's entirely different to deal in the personal data of an unsuspecting employee who is using a service or software as a core function of their job.

What is the solution?

For employees looking to protect their data and privacy in the workplace, there are a few questions they can ask their employers: 

• Are third-party privacy policies easy to understand? In most cases, not really. Taking a look at Zoom's privacy policy, for example, requires lots of time and the ability to understand some fairly technical jargon. Further, some of the actual policies can be alarming. For instance: "[Zoom] Products do not support Do Not Track requests at this time, which means that we collect information about your online activity both while you are using the Products and after you leave our properties." This is obviously concerning for workers who are forced to use Zoom at work but would prefer that the company not track their online activity "after you leave their properties."
• Does your employer pledge to keep employee data private? A recent Gartner survey found that more than half of companies used "nontraditional monitoring techniques" to track employees. In addition, when employees use apps such as Twitter while at work, they may be divulging information on how and when they use other common workplace apps, such as Salesforce or Zoom.
• Does your employer use apps that don't collect consumer data? While some apps only collect data that's necessary for them to work effectively, others clearly take the practice to another level by unnecessarily tracking things such as online activity.

The bottom line is, if the U.S. wants to continue without considerable oversight — something like Europe's GDPR — companies need to be more forthcoming about how their third-party partnerships are mining data from employees without them knowing. 

Further, if today's businesses don't take action when it comes to privacy, they face many potential risks, such as losing key employees and damaging their company's reputation. On the flip side, educating employees in good faith has a number of benefits for business owners, such as attracting talent and building trust with their workforce.

Everybody wants to work for a company that is open and honest about how data and privacy may be affected when on company time, but employers and employees need to work together to ensure success.