Navigating employee data privacy in the SaaS-powered workplace

The modern workplace is built on Software as a Service (SaaS) tools. SaaS not only streamlines operations but also collects vast amounts of usage data. While this data can be invaluable for optimizing business processes, it also raises concerns about employee privacy. 

I am Nikolai, co-founder of Corma, where we help companies centralize their software stack, manage their licenses, and automate their identity access management. In that experience, I see how companies are nowadays highly aware of the compliance risk around their client data privacy and security but often overlook that employees also enjoy data privacy rights and that using employee data poses a risk as well. 

In this post, I want to explore the topic of employee data privacy rights in the context of SaaS tools in the workplace and examine strategies for mitigating associated risks.

The dominance of SaaS in the modern workspace and employee data protection

SaaS tools have become the backbone of modern business operations, revolutionizing how companies operate, collaborate, and innovate. 

Statistics show a significant trend towards SaaS adoption, with employees utilizing numerous tools daily. Today, companies use, on average, 371 SaaS tools, a 32% growth since 2021, which shows the integral role of SaaS in businesses' digital transformation journey. Ensuring the security of their software stack should be a high priority for companies, as 78% of organizations store sensitive data in SaaS applications, creating an inherent risk for data breaches.

However, this aspect of employee data protection is often overlooked. I see it every day in my role at Corma, where most of the companies I talk to are very conscious that they need to handle customer data carefully yet do not know where to start.

I can clearly observe a lack of awareness that data privacy regulation applies not only to third parties but also to protect the people inside the company. SaaS tools typically track various employee activities, such as logins and activity time - data points that are necessary for effective Identity Access Management but can pose privacy concerns when bundled together. 

These can include:

• Viewing an employee’s desktop in real-time

• Taking periodic screenshots

• Recording number and content of typed pages of text

• Tracking working hours

• Measuring the frequency of mouse clicks

Employers are not the only ones who decide what data to examine. Legal frameworks like the General Data Protection Regulation (GDPR) enforce the importance of balancing SaaS capabilities with employee privacy rights.

Selecting SaaS solutions considering data security

Procuring SaaS solutions requires careful consideration, as some tools may collect excessive data. Employers must prioritize vendors with robust data security features, including SOC compliance, ISO certification, and encryption protocols. 

This sounds more complex than it actually is. 

Regulations essentially provide companies with checklists of compliance requirements, which serious vendors can tick off without an issue.

Additional risk comes from Freemium tools, which most employees would not bother to validate internally before implementing. Freemium models often entice users with free access to basic features but may collect extensive user data for monetization purposes behind the scenes. This can include sensitive information that could compromise employee privacy if handled inappropriately. 

As the old saying goes, if it’s free, you are the product. 

For instance, freemium project management tools may track user activities, communication logs, and project details, which can inadvertently expose confidential business information or sensitive employee data. Without proper scrutiny during a procurement process, organizations risk unintentionally exposing their employees to privacy breaches and regulatory violations.

While it is a popular and common practice to sign up for the latest SaaS tools, it is usually advisable to take a step back before purchasing a new one. 

A proper procurement process can usually mitigate the risks around SaaS. In most companies, different stakeholders, such as legal, security, and data protection officers, need to give their approval before a new solution is rolled out. When done in parallel to a trial or POC, this does not mean that properly considering data security slows down the purchase adoption process.

Not procuring SaaS tools through proper channels opens up the door to the risk of Shadow IT, unauthorized tools brought in by someone internally. 

Up to 65% of all SaaS apps are unapproved and used without the IT department's knowledge or approval, a situation that companies generally ignore until a data breach occurs. 

At Corma, what we’ve seen work best is properly educating employees on the risks of Shadow IT, having a solid procurement process that does not make employees feel like they get punished for wanting a new solution, and using an automated tool to discover and manage all software tools in one place.

Pitfalls in the day-to-day usage of SaaS tools around data privacy

Beyond the procurement stage, the daily use of SaaS tools presents ongoing challenges for data privacy, including ensuring that managers understand the implications of their data usage practices. 

Indeed, most SaaS tools provide managers with access to a wealth of employee data, such as activity logs, login information, and performance metrics. While this data can be instrumental in understanding productivity and performance, it also poses risks if misused or mishandled. Labor and data laws prohibit overreaching surveillance of employees, and the unlawful collection or misuse of collected data can have serious consequences.

Educating managers on the appropriate use of employee data is essential for maintaining privacy and trust within the organization. This includes:

• Understanding data privacy laws: Managers should be familiar with relevant data privacy laws, such as the GDPR, and their implications for employee data usage, from understanding the limitations on data collection to processing and storage, as well as employees' rights regarding their personal data.

• Appropriate use of data: Managers should be trained on the appropriate use of employee data for managerial purposes. This includes using data to assess performance, provide feedback, and make informed decisions about resource allocation without infringing on employee privacy rights. To give a very common example, for sales teams, it is a common practice to track in detail the activity of the team members, such as phone calls made, emails sent, or time spent in client meetings. While this can be useful for management, companies need to ensure that they do not infringe on the rights of their employees by illegally surveying their actions, which could infringe on some labor laws.

• Respecting employee consent: Managers must respect employee consent when accessing and using their data, for example, by obtaining explicit consent for data collection and usage where required and ensuring that employees have control over their own data.

• Keeping an overview of the software stack: As it is Corma's bread and butter, I see how crucial it is for companies to have full visibility and transparency on the software tools used within an organization. With dozens, if not hundreds, of software tools used daily, this can be a huge challenge, which an automated tool can make much easier (while also bringing other benefits around cost optimization and productivity).

By educating managers on these principles, organizations can promote responsible data usage practices and mitigate the risks of privacy breaches in the day-to-day usage of SaaS tools.

Conclusion

Safeguarding employee data privacy is crucial but sometimes underestimated in the SaaS-powered workplace. By prioritizing data security in SaaS procurement, educating employees on privacy rights, and implementing robust policies and audits, companies can navigate the complexities of employee data protection without limiting the benefits of SaaS tools. 

As co-founder of Corma, I find accompanying companies on that path to be an exciting challenge. 

Maintaining a balance between SaaS capabilities and employee privacy rights is essential for fostering trust and compliance within the workplace, which, in the end, is the foundation for business success. There is no right or wrong way to attack this issue, and this whole topic has many shades of gray. It is an ongoing challenge, which our tool can help with, but every conversation on typical hurdles or existing best practices can also make this topic easier to understand and address.

Navigating data privacy is every team’s responsibility. We at Corma make it our mission to help companies, and I am happy to check in individually to understand the risks and offer ways to maximize operational efficiency using SaaS while maintaining data privacy and protection for everybody.