As the world enters the second year of the COVID-19 pandemic it's unsurprising that those issues would be at the top of executive priorities. Many workers are working remotely from home. Even under the most optimistic scenarios, many companies plan to extend remote working into 2022. The pandemic has changed the world in many ways, and not the least is a fundamental change in the workplace and how employees interact – many workers will simply not return to a physical office. As the hospitality industry embraces remote working, it is critical to consider the privacy implications.
This article is not intended to debate the pros and cons of remote working, but it is important to briefly consider that there are advantages to remote working. One obvious benefit to remote working is cost savings. For many companies, rent is the second largest outlay after employee compensation. Perhaps even more important, remote working may be an advantage in recruiting talent. Many candidates consider the opportunity to work from home an important perk and remote work capabilities expand the talent pool beyond the immediate geographic area. For the hospitality industry, remote working provides new opportunities. It is easy to see the possibilities from an increase in employees working "at-home" yet away from home. Many lodging companies are already offering amenities aimed at productivity. Benefits like these will ensure remote working will continue long after the current pandemic has passed, and why the issues discussed here will remain relevant.
Data privacy is closely intertwined with security. With remote employees, an enterprise's technology surface area grows exponentially. Securing a network within the area physically occupied by the company is hard enough. Consider the nigh impossibility of securing home networks and devices of potentially thousands of remote workers, each one of whom is a potential entryway for bad actors. Additionally, it is not just the hardware that is subject to attack, the employees themselves can be duped into voluntarily providing sensitive information. Recently, there is an uptick in phishing scams targeting remote workers – likely the result of less direct oversight and a feeling of security in one's own home. Lastly, having employees accessing consumer data remotely may run afoul of data access, storage, processing, and deletion requirements and cross-border transfer limitations. As more employees work remotely it is harder to keep track of employee location and what country's or state's laws may apply to data accessed by that employee.
Despite the overwhelming hurdles of a remote working model, a few basic precautions will go a long way. These recommendations are good advice for any enterprise with remote employees or not, but for a remote workforce, the recommendations are necessary.
Limiting employee access except through a fully updated virtual private network (VPN) will alleviate most of the problems caused by employees using their own improperly configured hardware. This also allows more centralized control over what data and applications can and can't be accessed by the user.
Second, and most critical, are well thought out remote working policies and educating the workforce on those policies. Even the most secure networks can’t prevent an employee from voluntarily turning over sensitive data in a phishing attack. An enterprise should develop a comprehensive set of policies that govern, at a minimum, permissible devices, remote access/deletion for lost devices, network access, password standards/multifactor authentication, data access and handling, permissible use, and consequences for violations. Yet, the policies will be worthless if no one follows them. The next step is to educate the workforce on those policies, possible risks, and best practices to avoid those risks. The training must also address relevant data privacy laws. Remote employees can't be constantly monitored and must understand that compliance is part of their job as well. These recommendations are the foundation of a strong privacy program to protect consumer data in the remote working space.
The privacy and security of customer data is paramount to most companies and the constant focus of most CIOs and Data Protection officers. Historically, it has been the emphasis of regulatory action. However, an often-overlooked concern is the privacy of an organization's employees. Recently, some of the largest GDPR enforcement actions are related to employee data. These include a $40 million fine against the clothing retailer H&M for collecting and storing details of their employee's private lives and a $12.5 million fine against a German laptop seller for video surveillance of employees. It is clear that regulators are placing employee privacy on the same echelon as consumer privacy. The GDPR already protects employee data and, based upon its current state, the CCPA will apply to employee data soon. Privacy professionals must reorient their own thinking to meet this shift.
In today's remote working environment, companies are reaching into their employee's most private sanctum – their home. The understandable desire to ensure employee productivity, success and compliance with data privacy and security may tempt some organizations to monitor their employees as they would if the employees were in the office. Applications that record keystrokes or internet search history or applications that allow remote access to a device are certainly available. The risk of unwittingly gathering sensitive data on an employee is significant, and the idea of employer monitoring in an employee's home is an uncomfortable one to most. If an employer believes such monitoring is necessary, it should only be done with due consideration and full disclosure to employees.
The pandemic has forced many employees into working from home. As companies begin to transition their employees back into physical offices, the health of its employees will be a concern, which will create another privacy challenge. In the face of such a highly contagious disease, employee heath, vaccination status, and contact tracing are substantial needs, but as we see from the H&M enforcement action, regulators place a premium on employee health information. There is tension between an employee's right to privacy and safeguarding the health of others. An enterprise must consider guidance in their specific jurisdiction and make certain that the rush to guard against the pandemic and transition away from remote working does not trample employee privacy.
Eventually the world will go back to normal, but the world will never go back to how it was. Eventually the pandemic will be over, but the remote workplace is here to stay. Privacy professionals will need to do what they always have done with change – understand how it affects the privacy of every stakeholder and how to comply with the privacy expectations of the stakeholders and regulators.