‘Privacy and internal communication? It starts with common sense.’
An efficient organization stands or falls on smooth communication, collaboration and knowledge sharing. A social intranet brings all of these things together. But how do you make sure this happens in secure way? Can you, for example, add employees without their permission to a specific community? And what does the privacy law say about internal communication?
Leonie Gerding has to think about her own privacy and data protection since she, as a senior-consultant at Verdonck, Klooster & Associates, advices organizations in the field of privacy, cybersecurity and digital ethics. General director Rik Mulder (Plek) spoke with her about recurring customer questions. About privacy, safety and the GDPR, launched a year ago.
When are we doing things right?
Rik: 'We have noticed that our customers are struggling with the privacy topic. They often ask themselves: when are we doing things right? And I understand this, because a year after the GDPR, you barely see jurisdiction. You can find information about how to deal with the outside world – the privacy of customers – but not how to put these new privacy rules into practice when it comes to your own employees.'
Leonie: 'I often hear that nothing is allowed when it comes to the GDPR. The GDPR contains 99 articles, but these articles don’t specifically indicate what is and isn’t allowed for your employees. You have to fill in this gap yourself, depending on the organization’s actions. About eighty per cent of the GDPR is the same as under the old legislation, but a lot of organizations didn’t do much with that before.
These organizations are now struggling and find it increasingly difficult to apply new rules within the GDPR. Formalities are their first challenge. Keep track of processing operations, agreements and being transparent about the person you process personal data from. Companies should have been familiar with these agreements and notifications of registrations before the implementation of the GDPR.'
It has been a year since the Netherlands had to apply the GDPR, the General Data Protection Regulation. As a result of the new privacy law, the same privacy rules apply everywhere in the EU. On May 25th 2018, the GDPR replaced the Personal Data Protection Act.
Working together is sharing information
Rik: 'When I do work sessions with clients, I sometimes hear: 'What about my own privacy?' And: 'I don’t know if I want my picture to be published on the intranet.' I often tell them that it’s logic to share information about yourself within an organization where you work and collaborate with others. I am talking about data such as your name, e-mail address and phone number. With these data, colleagues can easily reach you. But what do you think?'
Leonie: 'In the digital era, I think you can’t escape working together in the digital space. It’s often also part of your job to be visible and reachable. If you are, for example, a project manager, you have to reach out to people to ask them questions. This way you need to have access to these data. But you do have to think carefully in advance about the purpose of the data, which communication channels you are going to use for and which information you want to be shared.'
Rik: 'We advise to make good agreements about this beforehand. Which type of agreement do you think works best?'
Leonie: ‘It is good to put something on paper, also because this helps in being transparant towards users. But it’s also a good start in how to improve collaboration amongst employees while respecting each other’s privacy. I am not a fan of strict rules or agreements – it usually ends up in the back of a bureau and nobody reads it anymore. But a good readable statement about how to communicate with each other works perfect.’
Rik: ‘Exactly. Such a text could also be good to show people when they first enter their intranet. Leonie: “And you can also use it as part of an onboarding-program. When an organization works with an OR, it is important to also take this into account in the new workaround. Will you communicate and collaborate in a new platform and do you want to monitor this, make sure you discuss the rules before.’
Rik: ‘Our clients are sometimes nervous about the content on their intranets.’ 'Because imagine shady things are happening in closed groups.' At Plek we agreed that a boss or admin can’t see what is happening in a closed group, when he is not a member of the specific group. The American company Slack, was recently in the news because they gave managers permission to download private conversations in chats. I think this is bad for the privacy and the trust within a company.’
Leonie: ‘It’s good to include something about it in your house rules or HR handbook. If there is a clear business interest, the employer is allowed to access and investigate private messages. It depends on the communication channel - email, phone, it doesn't matter. A concrete indication however is essential, but also the context in which the investigation takes place, should be described in the house rules. So employees know what they can expect.’
Who is the most active on the intranet?
Rik: ‘Statistics on the use of the platform can also cause sensitivities. Especially clients in the public domain, prefer – out of privacy considerations – to don’t track how active employees are on their intranet. But we say: You can use it in a positive way – it thrives enthusiasm, if you demonstrate and talk about the most active users on the platform.
How do you look at this?
Leonie: ‘As in so many things, it helps to use common sense. The key question is: what can you do to reduce processing personal data or monitoring behaviour? You can ask yourself, for example, whether it is really necessary to keep track of individual statistics.
If you want to use statistics on a social intranet, you may be able to achieve that goal by not looking at the level of the person, but by looking at which teams are more or less active.'
‘My most important message is: as long as you are transparent about it and if you take responsibility for the safe processing of personal data, a lot is allowed within the GDPR. My advice is: look at things in the right context and try to keep it small. Always think about whether you can explain in plain language how you can do things. Privacy is not that difficult: with common sense, you often know how to do it in a privacy-friendly way.
Leonie Gerding is a senior consultant within the privacy, cyber security and digital ethics sector at strategic ICT- consultancy agency Verdonck, Klooster & Associates. She helps organizations to process data in a safe and responsible manner, while acknowledging the complex and continually changing law.
Rik Mulder is general director of Plek. He helps organizations with the successful implementation and activation of social intranet and community platform Plek. He is also in charge of a team of 25 designers, developers, advisors, testers and support employees.