Global Crisis Management Series: This post is part 15 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis. The current version is available here.
Have the right policies in place
- Ensure clear, readily accessible, and (where necessary) country-specific policies are in place indicating the permitted uses of company devices and other IT equipment, including messaging services. If you allow employees to use their own devices to perform work, make sure your policies adequately address issues of access in the context of investigations.
- Draft and make accessible to employees a policy concerning the purposes for which, when, and by whom, suspicious log data can be accessed, and implement and enforce acceptable and unacceptable use of IT work facilities policies.
- Evaluate policies regularly. Policies that allow monitoring of communications should be reviewed at least annually to assess whether they are the least intrusive means to achieve the stated purposes.
- Stay informed on updates in the law surrounding monitoring, and note that these rules also apply to the monitoring of electronic communications in the workplace.
Have the right protocols and systems in place
- Ensure that systems and processes are in place for handling requests from data subjects for access to their personal data.
- Maintain a data privacy investigation and production protocol and be prepared to consult with local counsel as needed.
- Create robust e-discovery protocols and templates and obtain any necessary approvals, such as from a works council, ahead of time to simplify the process at the time of an investigation.
- Create a response team with data privacy experience that is prepared to deal with data processing and production questions on short notice. It is critical to understand where data is collected, where the individuals whose data is processed are located, and which national laws apply.
- Implement systems and controls to ensure that you can easily track and rectify personal data, extract it, and/or provide it to individuals in the required format when the need arises.
Handle whistleblowing appropriately
- Clearly define the purpose of the system in written internal policies and procedures.
- Ensure that the data obtained through any whistleblowing system is processed with the greatest confidentiality and a high level of data security through adequate technical and organizational measures. Among other steps, limit the scope of possible recipients of whistleblowing reports, apply a multi-step procedure to inform the relevant individuals concerned at the right time about how and why their data is being processed, inform staff of their rights, and set limited storage periods.
- Ensure that your whistleblowing system complies with national law (including employment laws as well as data privacy laws and any applicable industry-specific regulations), and follows any specific guidance from the relevant jurisdiction.