According to both US and EU labor statistics[1] 15% of employees change employer every year and one of the major problems related to data protection is data loss from these employees who leave. The threat of your employees taking data with them when they leave your organisation is real – a report I found from Osterman Research went so far as to say half of leaving employees admit to taking data from their employers when they leave. The reasons they could do this are not always malicious and the type of data they take can very. This could be strategic documents, customer lists or even intellectual property. Under the GDPR, if an employee takes customer data it would now be classified as a data breach which you would have to report to your supervisory authority and both your organisation and your ex-employee would be at risk of sanctions.
Employees come and go. Most companies have some form of onboarding plan in place because they want to make sure new hires can begin to make an impact as soon as possible. But you should also have make off-boarding an equal priority.
Onboarding and data protection education
Unsurprisingly, good off-boarding begins with good onboarding and training regarding the General Data Protection Regulation. If your employees handle personal data your responsible to make sure they understand the GDPR, so they can make sure they are complying with it. Furthermore, your organisation should have their own it’s own internal data protection policies which they’re familiar with and have agreed to follow.
Good data protection policies and procedures
The best way to protect against an employee taking data when they depart is by making sure you have effective controls in place. You should be considering the following:
- Have visibility on personal corporate data. Have a data inventory so you know where all the data might be stored.
- Limiting employee access. Each employee should only have access to personal data by role and function – so it’s clear what each employee has access to.
- Encrypt data in-transit and at-rest. By protecting personal data with good authentication not only do you secure it from unauthorized parties you’re also logging each time it is being accessed by authorized parties.
- Manage devices properly. All applications should be enterprise approved, not store data locally and in the event that it is allow for it to be remotely wiped.
- Have good back up in place.
- Make sure employees have signed your data protection policy and include it along with confidentiality provisions in your employment contracts.
Off-boarding plan – the data protection component.
You should have a documented off-boarding policy that details all of the offboarding events and who is responsible for them. You’ll want to make sure it consists of the following elements:
- Disabling access to email
- Remove all rights and disabling access to all applications
- Disabling company owned mobile devices
- Deleting and wiping company personal data on any employee owned mobile devices
- Deleting data that might have been used by departing employee
- Monitoring access in weeks before and post-employment for suspicious activity
- Give managers access to employees content archives
- Have them sign a document indicating they have returned all corporate personal data assets and haven’t retained any company data.
Employee turnover is common and so is the likelihood that they will take personal data with them – even if inadvertently. This creates risk, but good initial training, effective systems and a good departure process can mitigate this risk.
[1] https://www.darkreading.com/vulnerabilities—threats/survey-when-leaving-company-most-insiders-take-data-they-created/d/d-id/1323677 or https://hiring.monster.co.uk/hr/hr-best-practices/workforce-management/employee-retention-strategies/what-is-the-ideal-employee-turnover-rate.aspx and for US: https://www.bls.gov/news.release/tenure.nr0.htm