SlideShare a Scribd company logo

Employee Monitoring and Privacy.pdf

Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

My new presentation "Employee Monitoring and Privacy"

Presentations & Public Speaking
1 of 19
Download to read offline
Employee Monitoring and Privacy Andrey Prozorov, CISM, CIPP/E, CDPSE v1, 2020-11-08
Andrey Prozorov, CISM, CIPP/E, CDPSE Information Security and Data Protection Manager • My patreon (ISMS and GDPR toolkits) - https://www.patreon.com/AndreyProzorov 2
Agenda 1. Intro 2. Surveillance methods and Tools 3. Specifics of remote work 4. Legal requirements 5. Understanding the needs and expectations of interested parties 6. Employee Monitoring: CISO and DPO conflict 7. Risks of inadequate monitoring 8. GDPR Fines examples 9. Important GDPR articles and potential fines 10. GDPR Principles and Lawfulness of processing 11. Employee monitoring good principles 12. Internal Documents and other recommendations 3
Wiki Employee Monitoring is the act of employers surveying employee activity through different surveillance methods. Organizations engage in employee monitoring for different reasons such as to track performance, to avoid legal liability, to protect trade secrets, and to address other security concerns. This practice may impact employee satisfaction due to its impact on the privacy of the employees. Among organizations, the extent and methods of employee monitoring differ. 4
Surveillance methods 5 1. Email monitoring 2. Monitoring of Internet using 3. Software monitoring (including Working time tracking and Log Management) 4. Video surveillance (CCTV and Using cameras on computers) 5. Scanning and analysis of files 6. Location monitoring 7. Screen monitoring 8. Key logging 9. Audio recording (Telephone tapping and Recording external sounds) 10. Monitoring of mobile communication usage 11. Social media monitoring 12. Use of profiling 13. Use of biometric scanners DLP, UEBA/UBA, Web-proxy, NGFW, CASB, BYOD/CYOD, MDM, SIEM, CCTV, and other special tools…
Specifics of remote work 1. Personal or corporate device 2. Personal or corporate communication channels (mobile and Internet) 3. Privacy of third persons (e.g. family members) 4. Geolocation control 5. Time tracking and control 6. Mixing business and personal data 7. Specifics of local legislation (location of the subject) 6
In case of using employee monitoring tools, there is a danger of violation of vulnerable subjects' rights 7
Legal requirements 1. The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the Convention 108) 2. GDPR and ePrivacy Local legislation: 3. Data protection acts 4. Labour legislation 5. Privacy in working life (if applicable) 6. IT and communications 7. CCTV (if applicable) 8. Other regulations (if applicable) 8
DPA’s comments, e.g. Finnish FAQ 9 https://tietosuoja.fi/en/faq-working-life
Understanding the needs and expectations of interested parties 10 Internal External • Shareholders • Top Management • CSO / CISO • DPO / DPM • Internal Control • Risk and Compliance Managers • Legal • HR • IT • Employees • Employees’ Representatives • … • DPA / SA and other authorities • Human rights organizations • Vendors • Trade Unions • Consultants • Customers • Professional organizations • Visitors • Competitors • Employee’s Families • …
Employee Monitoring: CISO and DPO conflict 11 CISO DPO Security vs Privacy Insider threats vs Subject’s rights Risk Assessment vs DPIA Hidden control vs Transparency Maximum data and sources vs Data minimisation and Purpose limitation Long-term storage vs Storage limitation Monitoring vs Blocking Full access vs Four-eyes principle, masking and encryption Policy and requirements vs Notifications and consents, Awareness
Risks of inadequate monitoring 1. Fines and other penalties by supervisory authorities 2. Confiscation of equipment 3. Compensation for damages 4. Criminal prosecution 5. Loss of trust and demotivation of staff 6. Negative PR and Bad Publicity 12
GDPR Fines examples H&M (Germany) EUR 35,300,000 2020-10 Excessive employee monitoring (profiles, work-performance and mailing detail) Unknown Organisation (The Netherlands) EUR 725,000 2020-05 Scanning employee’s biometrics with a fingerprint time and attendance system Taksi Helsinki (Finland) EUR 72,000 2020-05 CCTV, location data processing and automated decision-making and profiling School in Skellefteå (Sweden) SEK 200,000 (EUR 18,630) 2019-08 Facial recognition system Kymen Vesi Oy (Finland) EUR 16,000 2020-05 Monitoring of employee location data Unknown Organisation (Hungary) HUF 1,000,000 (EUR 3,000) 2019-06 Email Monitoring Unknown Organisation (Hungary) HUF 500,000 (EUR 1,500) 2019-02 Email Monitoring 13
Important GDPR articles and potential fines 14 20 000 000 EUR or 4% of the total worldwide annual turnover 10 000 000 EUR or 2% of the total worldwide annual turnover Article 5. Principles relating to processing of personal data Article 6. Lawfulness of processing Article 7. Conditions for consent Article 9. Processing of special categories of personal data Article 12. Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13. Information to be provided where personal data are collected from the data subject Article 17. Right to erasure (‘right to be forgotten’) Article 18. Right to restriction of processing Article 21. Right to object Article 22. Automated individual decision-making, including profiling Article 25. Data protection by design and by default Article 30. Records of processing activities Article 32. Security of processing Article 33. Notification of a personal data breach to the supervisory authority Article 34. Communication of a personal data breach to the data subject Article 35. Data protection impact assessment Article 36. Prior consultation
GDPR Principles and Lawfulness of processing Principles Lawfulness 1. Lawfulness, fairness and transparency 2. Purpose limitation 3. Data minimization 4. Accuracy 5. Storage limitation 6. Integrity and confidentiality 7. Accountability 1. Consent - 😟 2. Contract - 😐 3. Legal obligation - 😐 4. Vital Interests - 😐 5. Public interest - 😐 6. Legitimate interests - 😀 15
Employee monitoring good principles 1. Necessity: An employer must be able to demonstrate that the monitoring is really necessary and to explain purposes and scope. 2. Legitimacy: An employer must have lawful grounds for collecting and using the personal data and, if appropriate, sensitive personal data, and the processing must be fair. 3. Proportionality: Any monitoring that takes place must be proportionate to the issue that the employer is dealing with. (”balance of interests”) 4. Transparency: An employer must clearly inform employees of the monitoring (and its techniques) that will be carried out. 5. Integrity and confidentiality: An employer must ensure minimization of rights and access control. 16
Internal Documents HR Information Security Data Protection 1. Contract and NDA 2. Collective agreement (including Time tracking and control) / Workplace Policy / Code of conduct / Employee handbook 3. Social media policy 1. Information security policy 2. Employee monitoring policy 3. CCTV policy 4. Information Classification and Handling policy 5. Acceptable Use policy (email, Internet usage, usb, mobile devices and BYOD, social media, mobile communications, remote work...) 6. Incident management procedure (+scripts) 7. Information security risk register and risk treatment plan (RTP) 1. Data protection policy 2. Awareness materials and Notifications 3. Consents (if applicable) 4. DPIA reports 5. Records of processing activities 6. Cookie policy and banner 17
My recommendations 1. Identify local legislation and its specifics, as well as DPAs recommendations 2. Assess the level of influence and expectations of interested parties 3. Study legal issues before the pilot testing 4. Define purpose and legal basis 5. Conduct DPIA (data protection impact assessment) and discuss the results with the representatives before the implementation 6. Minimise data and storage periods (e.g. 72 hours for CCTV records and 3-6 months for logs) 7. Choose blocking not monitoring (if applicable) 8. Implement Four-eyes principle (access control) and other restrictions 9. Follow the requirements for profiling (GDPR Art.22) and biometric data (GDPR Art.9) , if applicable 10. Use tools only with implemented and described privacy functionality 18
Thanks! Andrey Prozorov, CISM, CIPP/E, CDPSE • My patreon (ISMS and GDPR toolkits): https://www.patreon.com/AndreyProzorov • My email: prozorov.info@gmail.com

Recommended

Chp 7 career dev & plg.
Chp 7 career dev & plg.Chp 7 career dev & plg.
Chp 7 career dev & plg.
Tanuj Poddar
 
Intrapreneurship the Silicon Valley Way
Intrapreneurship the Silicon Valley WayIntrapreneurship the Silicon Valley Way
Intrapreneurship the Silicon Valley Way
Startup Experience
 
Compliance list (factory act)
Compliance list (factory act)Compliance list (factory act)
Compliance list (factory act)
ACS Shalu Saraf
 
THE PAYMENT OF BONUS ACT,1965
THE PAYMENT OF BONUS ACT,1965THE PAYMENT OF BONUS ACT,1965
THE PAYMENT OF BONUS ACT,1965
Gurjant Rai
 
Industrial employment (standing orders) act 1946
Industrial employment (standing orders) act 1946Industrial employment (standing orders) act 1946
Industrial employment (standing orders) act 1946
HIMANSHURajak2
 
Labour Law Compliance for Contract Employees
Labour Law Compliance for Contract EmployeesLabour Law Compliance for Contract Employees
Labour Law Compliance for Contract Employees
Greytip Software
 
protected workmen.pptx
protected workmen.pptxprotected workmen.pptx
protected workmen.pptx
NamitaBhatt5
 
Statutory compliances _ppt made by HP HR
Statutory compliances _ppt made by HP HRStatutory compliances _ppt made by HP HR
Statutory compliances _ppt made by HP HR
Ravindra Nikam Patil
 

Recommended

Chp 7 career dev & plg.
Chp 7 career dev & plg.Chp 7 career dev & plg.
Chp 7 career dev & plg.
Tanuj Poddar
 
Intrapreneurship the Silicon Valley Way
Intrapreneurship the Silicon Valley WayIntrapreneurship the Silicon Valley Way
Intrapreneurship the Silicon Valley Way
Startup Experience
 
Compliance list (factory act)
Compliance list (factory act)Compliance list (factory act)
Compliance list (factory act)
ACS Shalu Saraf
 
THE PAYMENT OF BONUS ACT,1965
THE PAYMENT OF BONUS ACT,1965THE PAYMENT OF BONUS ACT,1965
THE PAYMENT OF BONUS ACT,1965
Gurjant Rai
 
Industrial employment (standing orders) act 1946
Industrial employment (standing orders) act 1946Industrial employment (standing orders) act 1946
Industrial employment (standing orders) act 1946
HIMANSHURajak2
 
Labour Law Compliance for Contract Employees
Labour Law Compliance for Contract EmployeesLabour Law Compliance for Contract Employees
Labour Law Compliance for Contract Employees
Greytip Software
 
protected workmen.pptx
protected workmen.pptxprotected workmen.pptx
protected workmen.pptx
NamitaBhatt5
 
Statutory compliances _ppt made by HP HR
Statutory compliances _ppt made by HP HRStatutory compliances _ppt made by HP HR
Statutory compliances _ppt made by HP HR
Ravindra Nikam Patil
 
Industrial Relations Code, 2020- Part 1
Industrial Relations Code, 2020- Part 1Industrial Relations Code, 2020- Part 1
Industrial Relations Code, 2020- Part 1
DVSResearchFoundatio
 
TRADE UNION ACT 1926
TRADE UNION ACT 1926TRADE UNION ACT 1926
TRADE UNION ACT 1926
Ashwin Shetty
 
Career Development
Career DevelopmentCareer Development
Career Development
University of education Lahore
 
Compliance Training 845
Compliance Training 845Compliance Training 845
Compliance Training 845
satyam mishra
 
Trade union Act 1926
Trade union Act 1926Trade union Act 1926
Trade union Act 1926
Anchal Soni
 
Trade union act 1926
Trade union act 1926Trade union act 1926
Trade union act 1926
Rahul Tiwari
 
Employees Provident Fund And MIscellaneous Provisions Act , 1952
Employees Provident Fund And MIscellaneous Provisions Act , 1952Employees Provident Fund And MIscellaneous Provisions Act , 1952
Employees Provident Fund And MIscellaneous Provisions Act , 1952
Mohd Zaid
 
Industrial Disputes Act 1947
Industrial Disputes Act 1947Industrial Disputes Act 1947
Industrial Disputes Act 1947
Dr. Trilok Kumar Jain
 
The Code on Wages, 2019 - Part III
The Code on Wages, 2019 - Part IIIThe Code on Wages, 2019 - Part III
The Code on Wages, 2019 - Part III
DVSResearchFoundatio
 
The apprentices act 1961
The apprentices act 1961The apprentices act 1961
The apprentices act 1961
Sushmita Belekar
 
Trade union
Trade unionTrade union
Trade union
Drumil Upadhyay
 
Industrial Relations & Labour laws A brief overview
Industrial Relations & Labour laws A brief overviewIndustrial Relations & Labour laws A brief overview
Industrial Relations & Labour laws A brief overview
university of education
 
Trade Union Act , 1926.pptx
Trade Union Act , 1926.pptxTrade Union Act , 1926.pptx
Trade Union Act , 1926.pptx
kratikapatidar9
 
Factory’s act 1948
Factory’s act 1948Factory’s act 1948
Factory’s act 1948
SMART LEARNING -SEE YOUR WORLD IN DIFFRENT WAY
 
The payment of bonus act
The payment of bonus actThe payment of bonus act
The payment of bonus act
ARUNAYESUDAS
 
The Payment Of Gratuity Act, 1972
The Payment Of Gratuity Act, 1972The Payment Of Gratuity Act, 1972
The Payment Of Gratuity Act, 1972
satyam mishra
 
Kenya Employment Act of 2007
Kenya Employment Act of 2007Kenya Employment Act of 2007
Kenya Employment Act of 2007
tawi123
 
Contract Labour (Regulation And Abolition) Act, 1970
Contract Labour (Regulation And Abolition) Act, 1970Contract Labour (Regulation And Abolition) Act, 1970
Contract Labour (Regulation And Abolition) Act, 1970
Dr. Trilok Kumar Jain
 
Industrial Employment (Standing Orders) A
Industrial Employment (Standing Orders) AIndustrial Employment (Standing Orders) A
Industrial Employment (Standing Orders) A
rajeevgupta
 
Contract Labor Act 1970.
Contract Labor Act 1970.Contract Labor Act 1970.
Contract Labor Act 1970.
Rahul Gulaganji
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
Jean-Michel Tyszka
 
GDPR: The Regulator's Perspective, Peter Brown, ICO
GDPR: The Regulator's Perspective, Peter Brown, ICOGDPR: The Regulator's Perspective, Peter Brown, ICO
GDPR: The Regulator's Perspective, Peter Brown, ICO
BCS Data Management Specialist Group
 

More Related Content

What's hot

Compliance Training 845
Compliance Training 845Compliance Training 845
Compliance Training 845
satyam mishra
 
Industrial Disputes Act 1947
Industrial Disputes Act 1947Industrial Disputes Act 1947
Industrial Disputes Act 1947
Dr. Trilok Kumar Jain
 
The Payment Of Gratuity Act, 1972
The Payment Of Gratuity Act, 1972The Payment Of Gratuity Act, 1972
The Payment Of Gratuity Act, 1972
satyam mishra
 
Contract Labour (Regulation And Abolition) Act, 1970
Contract Labour (Regulation And Abolition) Act, 1970Contract Labour (Regulation And Abolition) Act, 1970
Contract Labour (Regulation And Abolition) Act, 1970
Dr. Trilok Kumar Jain
 
Industrial Employment (Standing Orders) A
Industrial Employment (Standing Orders) AIndustrial Employment (Standing Orders) A
Industrial Employment (Standing Orders) A
rajeevgupta
 

What's hot (20)

Industrial Relations Code, 2020- Part 1
Industrial Relations Code, 2020- Part 1Industrial Relations Code, 2020- Part 1
Industrial Relations Code, 2020- Part 1
 
TRADE UNION ACT 1926
TRADE UNION ACT 1926TRADE UNION ACT 1926
TRADE UNION ACT 1926
 
Career Development
Career DevelopmentCareer Development
Career Development
 
Compliance Training 845
Compliance Training 845Compliance Training 845
Compliance Training 845
 
Trade union Act 1926
Trade union Act 1926Trade union Act 1926
Trade union Act 1926
 
Trade union act 1926
Trade union act 1926Trade union act 1926
Trade union act 1926
 
Employees Provident Fund And MIscellaneous Provisions Act , 1952
Employees Provident Fund And MIscellaneous Provisions Act , 1952Employees Provident Fund And MIscellaneous Provisions Act , 1952
Employees Provident Fund And MIscellaneous Provisions Act , 1952
 
Industrial Disputes Act 1947
Industrial Disputes Act 1947Industrial Disputes Act 1947
Industrial Disputes Act 1947
 
The Code on Wages, 2019 - Part III
The Code on Wages, 2019 - Part IIIThe Code on Wages, 2019 - Part III
The Code on Wages, 2019 - Part III
 
The apprentices act 1961
The apprentices act 1961The apprentices act 1961
The apprentices act 1961
 
Trade union
Trade unionTrade union
Trade union
 
Industrial Relations & Labour laws A brief overview
Industrial Relations & Labour laws A brief overviewIndustrial Relations & Labour laws A brief overview
Industrial Relations & Labour laws A brief overview
 
Trade Union Act , 1926.pptx
Trade Union Act , 1926.pptxTrade Union Act , 1926.pptx
Trade Union Act , 1926.pptx
 
Factory’s act 1948
Factory’s act 1948Factory’s act 1948
Factory’s act 1948
 
The payment of bonus act
The payment of bonus actThe payment of bonus act
The payment of bonus act
 
The Payment Of Gratuity Act, 1972
The Payment Of Gratuity Act, 1972The Payment Of Gratuity Act, 1972
The Payment Of Gratuity Act, 1972
 
Kenya Employment Act of 2007
Kenya Employment Act of 2007Kenya Employment Act of 2007
Kenya Employment Act of 2007
 
Contract Labour (Regulation And Abolition) Act, 1970
Contract Labour (Regulation And Abolition) Act, 1970Contract Labour (Regulation And Abolition) Act, 1970
Contract Labour (Regulation And Abolition) Act, 1970
 
Industrial Employment (Standing Orders) A
Industrial Employment (Standing Orders) AIndustrial Employment (Standing Orders) A
Industrial Employment (Standing Orders) A
 
Contract Labor Act 1970.
Contract Labor Act 1970.Contract Labor Act 1970.
Contract Labor Act 1970.
 

Similar to Employee Monitoring and Privacy.pdf

GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?
Sage HR
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
SCCE Processors and GDPR
SCCE Processors and GDPRSCCE Processors and GDPR
SCCE Processors and GDPR
Robert Bond
 

Similar to Employee Monitoring and Privacy.pdf (20)

GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
 
GDPR: The Regulator's Perspective, Peter Brown, ICO
GDPR: The Regulator's Perspective, Peter Brown, ICOGDPR: The Regulator's Perspective, Peter Brown, ICO
GDPR: The Regulator's Perspective, Peter Brown, ICO
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
Gdpr compliance univ'air carslon wagon lit 5 oktober 2017
Gdpr compliance univ'air carslon wagon lit 5 oktober 2017Gdpr compliance univ'air carslon wagon lit 5 oktober 2017
Gdpr compliance univ'air carslon wagon lit 5 oktober 2017
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
 
GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization
 
GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?GDPR - are you ready for the challenge?
GDPR - are you ready for the challenge?
 
My presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPRMy presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPR
 
GDPR
GDPRGDPR
GDPR
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Privacy by design for peerlyst meetup
Privacy by design for peerlyst meetupPrivacy by design for peerlyst meetup
Privacy by design for peerlyst meetup
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
 
Privacy by design for startups: legal and technology
Privacy by design for startups: legal and technologyPrivacy by design for startups: legal and technology
Privacy by design for startups: legal and technology
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
General data protection regulation - European union
General data protection regulation - European unionGeneral data protection regulation - European union
General data protection regulation - European union
 
The Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiThe Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech Wiewiorowski
 
Satori GDPR Overview 2018
Satori GDPR Overview 2018Satori GDPR Overview 2018
Satori GDPR Overview 2018
 
SCCE Processors and GDPR
SCCE Processors and GDPRSCCE Processors and GDPR
SCCE Processors and GDPR
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001 (20)

NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
 
pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdf
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal PurposesMy 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
 
How to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfHow to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdf
 
pr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdfpr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdf
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
ISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdfISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdf
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdf
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
 

Recently uploaded

Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Rahsaan L. Browne
 
527598851-ppc-due-to-various-govt-policies.pdf
527598851-ppc-due-to-various-govt-policies.pdf527598851-ppc-due-to-various-govt-policies.pdf
527598851-ppc-due-to-various-govt-policies.pdf
rajpreetkaur75080
 

Recently uploaded (15)

0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 
Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdfOracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
 
05232024 Joint Meeting - Community Networking
05232024 Joint Meeting - Community Networking05232024 Joint Meeting - Community Networking
05232024 Joint Meeting - Community Networking
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 
Hi-Tech Industry 2024-25 Prospective.pptx
Hi-Tech Industry 2024-25 Prospective.pptxHi-Tech Industry 2024-25 Prospective.pptx
Hi-Tech Industry 2024-25 Prospective.pptx
 
The Canoga Gardens Development Project. PDF
The Canoga Gardens Development Project. PDFThe Canoga Gardens Development Project. PDF
The Canoga Gardens Development Project. PDF
 
Pollinator Ambassador Earth Steward Day Presentation 2024-05-22
Pollinator Ambassador Earth Steward Day Presentation 2024-05-22Pollinator Ambassador Earth Steward Day Presentation 2024-05-22
Pollinator Ambassador Earth Steward Day Presentation 2024-05-22
 
123445566544333222333444dxcvbcvcvharsh.pptx
123445566544333222333444dxcvbcvcvharsh.pptx123445566544333222333444dxcvbcvcvharsh.pptx
123445566544333222333444dxcvbcvcvharsh.pptx
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
 
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 
527598851-ppc-due-to-various-govt-policies.pdf
527598851-ppc-due-to-various-govt-policies.pdf527598851-ppc-due-to-various-govt-policies.pdf
527598851-ppc-due-to-various-govt-policies.pdf
 

Employee Monitoring and Privacy.pdf

  • 1. Employee Monitoring and Privacy Andrey Prozorov, CISM, CIPP/E, CDPSE v1, 2020-11-08
  • 2. Andrey Prozorov, CISM, CIPP/E, CDPSE Information Security and Data Protection Manager • My patreon (ISMS and GDPR toolkits) - https://www.patreon.com/AndreyProzorov 2
  • 3. Agenda 1. Intro 2. Surveillance methods and Tools 3. Specifics of remote work 4. Legal requirements 5. Understanding the needs and expectations of interested parties 6. Employee Monitoring: CISO and DPO conflict 7. Risks of inadequate monitoring 8. GDPR Fines examples 9. Important GDPR articles and potential fines 10. GDPR Principles and Lawfulness of processing 11. Employee monitoring good principles 12. Internal Documents and other recommendations 3
  • 4. Wiki Employee Monitoring is the act of employers surveying employee activity through different surveillance methods. Organizations engage in employee monitoring for different reasons such as to track performance, to avoid legal liability, to protect trade secrets, and to address other security concerns. This practice may impact employee satisfaction due to its impact on the privacy of the employees. Among organizations, the extent and methods of employee monitoring differ. 4
  • 5. Surveillance methods 5 1. Email monitoring 2. Monitoring of Internet using 3. Software monitoring (including Working time tracking and Log Management) 4. Video surveillance (CCTV and Using cameras on computers) 5. Scanning and analysis of files 6. Location monitoring 7. Screen monitoring 8. Key logging 9. Audio recording (Telephone tapping and Recording external sounds) 10. Monitoring of mobile communication usage 11. Social media monitoring 12. Use of profiling 13. Use of biometric scanners DLP, UEBA/UBA, Web-proxy, NGFW, CASB, BYOD/CYOD, MDM, SIEM, CCTV, and other special tools…
  • 6. Specifics of remote work 1. Personal or corporate device 2. Personal or corporate communication channels (mobile and Internet) 3. Privacy of third persons (e.g. family members) 4. Geolocation control 5. Time tracking and control 6. Mixing business and personal data 7. Specifics of local legislation (location of the subject) 6
  • 7. In case of using employee monitoring tools, there is a danger of violation of vulnerable subjects' rights 7
  • 8. Legal requirements 1. The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the Convention 108) 2. GDPR and ePrivacy Local legislation: 3. Data protection acts 4. Labour legislation 5. Privacy in working life (if applicable) 6. IT and communications 7. CCTV (if applicable) 8. Other regulations (if applicable) 8
  • 9. DPA’s comments, e.g. Finnish FAQ 9 https://tietosuoja.fi/en/faq-working-life
  • 10. Understanding the needs and expectations of interested parties 10 Internal External • Shareholders • Top Management • CSO / CISO • DPO / DPM • Internal Control • Risk and Compliance Managers • Legal • HR • IT • Employees • Employees’ Representatives • … • DPA / SA and other authorities • Human rights organizations • Vendors • Trade Unions • Consultants • Customers • Professional organizations • Visitors • Competitors • Employee’s Families • …
  • 11. Employee Monitoring: CISO and DPO conflict 11 CISO DPO Security vs Privacy Insider threats vs Subject’s rights Risk Assessment vs DPIA Hidden control vs Transparency Maximum data and sources vs Data minimisation and Purpose limitation Long-term storage vs Storage limitation Monitoring vs Blocking Full access vs Four-eyes principle, masking and encryption Policy and requirements vs Notifications and consents, Awareness
  • 12. Risks of inadequate monitoring 1. Fines and other penalties by supervisory authorities 2. Confiscation of equipment 3. Compensation for damages 4. Criminal prosecution 5. Loss of trust and demotivation of staff 6. Negative PR and Bad Publicity 12
  • 13. GDPR Fines examples H&M (Germany) EUR 35,300,000 2020-10 Excessive employee monitoring (profiles, work-performance and mailing detail) Unknown Organisation (The Netherlands) EUR 725,000 2020-05 Scanning employee’s biometrics with a fingerprint time and attendance system Taksi Helsinki (Finland) EUR 72,000 2020-05 CCTV, location data processing and automated decision-making and profiling School in Skellefteå (Sweden) SEK 200,000 (EUR 18,630) 2019-08 Facial recognition system Kymen Vesi Oy (Finland) EUR 16,000 2020-05 Monitoring of employee location data Unknown Organisation (Hungary) HUF 1,000,000 (EUR 3,000) 2019-06 Email Monitoring Unknown Organisation (Hungary) HUF 500,000 (EUR 1,500) 2019-02 Email Monitoring 13
  • 14. Important GDPR articles and potential fines 14 20 000 000 EUR or 4% of the total worldwide annual turnover 10 000 000 EUR or 2% of the total worldwide annual turnover Article 5. Principles relating to processing of personal data Article 6. Lawfulness of processing Article 7. Conditions for consent Article 9. Processing of special categories of personal data Article 12. Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13. Information to be provided where personal data are collected from the data subject Article 17. Right to erasure (‘right to be forgotten’) Article 18. Right to restriction of processing Article 21. Right to object Article 22. Automated individual decision-making, including profiling Article 25. Data protection by design and by default Article 30. Records of processing activities Article 32. Security of processing Article 33. Notification of a personal data breach to the supervisory authority Article 34. Communication of a personal data breach to the data subject Article 35. Data protection impact assessment Article 36. Prior consultation
  • 15. GDPR Principles and Lawfulness of processing Principles Lawfulness 1. Lawfulness, fairness and transparency 2. Purpose limitation 3. Data minimization 4. Accuracy 5. Storage limitation 6. Integrity and confidentiality 7. Accountability 1. Consent - 😟 2. Contract - 😐 3. Legal obligation - 😐 4. Vital Interests - 😐 5. Public interest - 😐 6. Legitimate interests - 😀 15
  • 16. Employee monitoring good principles 1. Necessity: An employer must be able to demonstrate that the monitoring is really necessary and to explain purposes and scope. 2. Legitimacy: An employer must have lawful grounds for collecting and using the personal data and, if appropriate, sensitive personal data, and the processing must be fair. 3. Proportionality: Any monitoring that takes place must be proportionate to the issue that the employer is dealing with. (”balance of interests”) 4. Transparency: An employer must clearly inform employees of the monitoring (and its techniques) that will be carried out. 5. Integrity and confidentiality: An employer must ensure minimization of rights and access control. 16
  • 17. Internal Documents HR Information Security Data Protection 1. Contract and NDA 2. Collective agreement (including Time tracking and control) / Workplace Policy / Code of conduct / Employee handbook 3. Social media policy 1. Information security policy 2. Employee monitoring policy 3. CCTV policy 4. Information Classification and Handling policy 5. Acceptable Use policy (email, Internet usage, usb, mobile devices and BYOD, social media, mobile communications, remote work...) 6. Incident management procedure (+scripts) 7. Information security risk register and risk treatment plan (RTP) 1. Data protection policy 2. Awareness materials and Notifications 3. Consents (if applicable) 4. DPIA reports 5. Records of processing activities 6. Cookie policy and banner 17
  • 18. My recommendations 1. Identify local legislation and its specifics, as well as DPAs recommendations 2. Assess the level of influence and expectations of interested parties 3. Study legal issues before the pilot testing 4. Define purpose and legal basis 5. Conduct DPIA (data protection impact assessment) and discuss the results with the representatives before the implementation 6. Minimise data and storage periods (e.g. 72 hours for CCTV records and 3-6 months for logs) 7. Choose blocking not monitoring (if applicable) 8. Implement Four-eyes principle (access control) and other restrictions 9. Follow the requirements for profiling (GDPR Art.22) and biometric data (GDPR Art.9) , if applicable 10. Use tools only with implemented and described privacy functionality 18
  • 19. Thanks! Andrey Prozorov, CISM, CIPP/E, CDPSE • My patreon (ISMS and GDPR toolkits): https://www.patreon.com/AndreyProzorov • My email: prozorov.info@gmail.com