The General Data Protection Regulation (GDPR) goes into effect next week. Even if you don't live in Europe or do business officially in Europe, you can find your life affected by these rules. Europe is very concerned about data and privacy, and for consumers, that seems to be mostly a good thing.
If you do live or do business in Europe or with Europeans, you're probably ready, but there's one thing that can make all this work and all these regulations worthless: your employees.
Last week, Facebook fired an employee who bragged on Tinder about his access to user data. Obviously, his intended love interest didn't find this impressive and brought it to the attention of a friend who worked for Jackie Stokes's company, Spyglass Security Consulting LLC. Stokes brought it to Facebook's attention (as she should have).
I've been made aware that a security engineer currently employed at Facebook is likely using privileged access to stalk women online.-- Jackie Stokes (@find_evil) April 30, 2018
I have Tinder logs. What should I do with this information?
But, how many other employees are out there who are doing the same, but not dumb enough to brag about it to someone they hardly know?
It's Not Just Tech Companies
We worry about data privacy from Google and Facebook. Massive data breaches have occurred in industries across the spectrum--from Target to Equifax to Anthem--hackers have procured our personal data. And hacking is clearly a problem.
But internal people can be just as concerning. Do you know how many people have access to personal information about you just based on your employment records in a company? Your boss, sure. What about everyone in the human resources and payroll departments? It's not just your salary that is available. Your social security number is in your records (even if it is masked for reporting, it has to be available or you can't be paid properly), your address, your family status, emergency contacts, and your job history. If you have a 401(k) loan, that information may be available as well.
That's a lot of information, and if your business isn't careful, it can be pretty easily accessed by any number of people.
Is Your Data Sufficiently Compartmentalized?
While I would prefer it if everyone within a company could see everyone else's salary (it's harder to discriminate if you can't hide information), the rest of your personnel files should be available to only those people who need it. The HR person over in marketing doesn't (generally) need information for all the people in operations.
Payroll needs to know about garnishments for things like child support or debt payments, but that's not something that an HR person or a manager needs to know.
Is Your Office Structure Conducive to Privacy?
For printed information, do you have a central printer or does each person whose job focuses on dealing with employee information have a private printer at his or her desk? If it's a central printer, do you have to enter a code to get your prints, or can you just hit print and they print?
What about your open office floor plan? Hip, cool, and a destroyer of privacy. Not only are computer screens visible to many, many people, but also, how can you have a private conversation? Yes, of course, you can fight for access to a conference room, but too often things that should be said privately get said publicly when closed doors are rare. And the act of an HR person or manager taking an individual employee into a conference room and shutting the door tells everyone that there's a problem. (Even when there isn't one.)
When you're making sure that your electronic data is safe and in compliance with GDPR, make sure that your people are not going to undermine your hard work by blabbing about information that should be kept private.
Edited to correct an earlier version that identified Ms. Stokes as the target.