An article about workplaces wearables came across my Twitter feed recently, and it made me think about a conversation I had with our blog editor a few months ago on how popular devices, like headphones, collect data that could identify you. This article addresses another kind of popular device – wearables. The article talks about the rise in the number of organizations providing wearables to their employees – either to monitor the workplace for safety concerns or to promote a healthier lifestyle through devices like Fitbits.
But what many organizations fail to consider are the privacy implications of doling out wearables to their workforce. Wearables are data collecting devices. And like any Internet of Things (IoT) device, organizations need to ensure that the data they are capturing and storing from these devices goes through the appropriate governance and protection measures. With stricter data protection regulations such as the European Generation Data Protection Regulation (GDPR) coming into effect in less than a year, the spotlight on how you protect the personal data you collect is getting even stronger. And trust me, you don’t want the data coming from a wearable device program to be the cause for an audit, or worse, a breach.
But the onus doesn’t only fall on the company. Employees, too, are increasingly becoming data citizens and need to be aware of the implications of accepting company-provided wearable devices. Take Fitbits or other activity-monitoring devices as an example. These devices collect a variety of data points, from your heart rate to the number of steps you’re taking to the amount of time you’ve been sitting idle. Now consider if the data provided by your activity-monitoring device was paired with other data collected by your employer. Under the GDPR, that combination of data could be considered personally-identifiable. Or consider the fact that your employer has just provided you with a wearable that knows where you are at all times.
Now, the point of this post is not debate if companies should provide their employees with wearable devices (or if employees should accept them). Rather, it is to raise awareness about the many ways you generate data every day through everyday IoT devices. What seems like a harmless HR program designed to boost your activity levels could turn into a data breach nightmare if your company isn’t properly governing and protecting the data it collects. So what should you do?
Employers – before you launch wearable programs, discuss where you’ll store the data and how you’ll govern and protect it. Put it through the same rigor that you would any personally-identifiable information that you collect about employees or customers. And communicate the safeguards you’re putting in place before you distribute the devices. If you introduce 3rd party devices be sure to review their data protections and privacy programs and certifications.
Employees – be vigilant. Ask your employer what they intend to do with your data, where they are storing it, and how they are governing and protecting it. Don’t just assume that it falls under the same protection rules as your address, social security number, or health history. And if they can’t give you a good answer, then politely decline the device until these measures are put into place.
Does your organization provide wearables to its employees? If so, what measures have you taken to ensure the data is governed, protected, and secure?