In-house lawyers must help senior management and employees ensure their use of the digital workplace is legal, compliant and safe and that issues are dealt with as quickly as possible.
By providing clarity to employees, supporting senior management and satisfying external client demands, you’ll reduce risk and add real value for your organisation. It will also help you to understand how the systems work in the event of a data breach, a compliance investigation (e.g. ABC compliance) or litigation requiring e-discovery or a "dawn raid" by a regulator - in which event knowing these things becomes very (and urgently) important!
What is the digital workplace?
An organisation’s network of digital channels, platforms and tools can be bewildering, complex and fast moving.
IT ecosystems usually involve multiple applications owned by people across different departments, divisions and locations. Some of these applications may integrate with others, while others are stand-alone tools for specific tasks or business units. Some may reside in the cloud, while others are on-premises.
They’re all likely to be accessed by a combination of PCs, laptops, Macs and mobile devices, both corporate and employee-owned.
These devices are often backed up with intended (and unintended) copies in multiple locations within the company's physically owned infrastructure and within the systems of subcontractors, outsourcers and cloud services providers such as Salesforce.com and Google analytics. This becomes really important to understand if you are sued, dawn raided, involved in a compliance investigation or have a suspected data breach.
Additionally, some employees, and even teams, may use tools not officially sanctioned by the IT department. For example, many people use their own Dropbox accounts to share files among themselves independently of their organisation’s file sharing policies and systems.
Many vendors and consultancies refer to this ecosystem as the digital workplace as it’s essential to many practices, including:
- Internal communications;
- Team collaboration;
- Project management;
- Knowledge management;
- HR related processes;
- Management reporting;
- Client service delivery; and
- External communications.
The term digital workplace suggests a holistic view of how employees experience multiple IT channels. It implies coordination between distinct and disparate software applications and services.
Thinking about the digital workplace as a whole helps software designers and IT functions introduce consistency into the look and feel of different systems and the way people access them. Using the same log in credentials, known as a single sign-on, is one example of this approach. Holistic thinking also helps organisations plan their IT strategically and efficiently.
What does this mean for in-house lawyers?
As an in-house lawyer, you can use the concept of the digital workplace to think about risks, knowledge gaps and opportunities to add value. For example, can you provide guidance and risk-related processes across your organisation’s entire digital workplace, or just a handful of individual applications?
You will, at the very least, need to know about:
- Acceptable terms of use for employees and other related policies;
- Privacy of employee data;
- Privacy and duty of care over client data;
- Territories where data servers are held, and how these affect data privacy and protection and GDPR compliance;
- Accessibility;
- Copyright of material published on the organisation’s channels;
- Retention policies and e-discovery processes;
- Any obligations and processes which may affect agreements with workers’ organisations (this is particularly pertinent to German Works Councils);
- Sector or market-specific regulatory or compliance issues;
- Processes that drive compliance, including educating employees;
- IP compliance of software that you operate commission or adapt (including licence terms and fee payments);
- How to navigate/search the systems for compliance and/or disclosure purposes; and
- Specific wording on sensitive content, such as HR procedures.
Adding value
You have a role to play in making sure people use your organisation’s digital workplace in a legal, compliant and safe way. You also need to ensure that if any issues do arise, you can deal with them quickly, without causing disruption to normal business operations.
Most in-house legal teams are more involved in drafting guidance than advising on specific incidents in the digital workplace. However, this can be seen as more than just a risk management process. Add value by reducing senior management’s worries about the perils of the digital workplace and give employees clear guidance about appropriate use of different channels.
This latter point is increasingly important as, generally, digital channels have moved from a consumption, or broadcast, model to a participative one. More and more employees can now post content, add comments or share files than ever before, without restriction or prior approval.
Focus on user education and training to minimise risk and drive compliance. Employees want clear guidance written in plain language. Avoid unnecessarily long, complex or legalese-laden messages. They’ll never be read.
Senior management often spend far more time worrying about potential incidents in the digital workplace than the frequency of their actual occurrence warrants. For example, the most common issue on intranets and internal social networks is unintentional breach of copyright law. However, we've never known a senior manager lose sleep over copyright.
Business-to-business organisations that handle sensitive client data are often contractually obliged to have certain processes in place across their internal digital workplace. Clients insist on these to assure themselves that their suppliers meet certain standards in care with their data. So, where a large financial services firm seeks guarantees from a smaller professional services firm, such as an accountancy practice, the in-house lawyers for both parties play a pivotal role.
It is good practice to have a good and regular relationship with the people who run the IT in your business and fully to understand how the systems that your team uses operate and where they are - it would be embarrassing to be caught out by an issue relating to your contract management system for example!
A walk through the digital workplace
The internal ecosystem of digital channels differs from organisation to organisation and there’s often overlap between the capabilities of different channels. For example, one company's intranet might have a complete social networking capability, while in others, it won't be appropriate.
Below are the most common channels we think you’ll come across. This list is not exhaustive, so we’ve focussed on those most employees have direct access or exposure to.
Intranet publishing
Most organisations use intranets to publish news and content. Internal communications teams and HR departments are usually the main publishers on intranets. However, employees can usually rate content, leave comments and, possibly, publish articles themselves.
Employee directory
An employee directory is a central listing of an organisation’s employees and, sometimes, contractors. It should contain an individual profile for every employee, complete with contact information, job data, a photograph and relevant job experience. The directory is normally integrated with the intranet or internal social network. Profile capability is embedded in many applications, so some organisations end up with more than one directory.
Social and community platform
An enterprise social network typically allows employees to follow each other, post wikis, blogs, open discussion forums and community spaces and view updates in a feed or activity stream. People generally use these platforms for informal and open interaction rather than project or client-specific work. A social and community platform may also be part of the intranet.
A common risk is for people - especially in larger companies - to muddle intranet and internet and to post material that should stay internal to the company in external contexts - which is why strict controls on who can use the company's twitter feed (etc.) and how they can use it are recommended
Team sites, project workspaces and team collaboration
Project and team-specific workspaces are generally private, closed forums where team members post updates, allocate tasks and share files. Examples include SharePoint, Huddle and Slack. Organisations often use these applications with external service providers.
HR and learning systems
HR and learning systems allow employees to update their details, book annual leave, view payslips, choose benefit options, arrange training and complete other self-service tasks. They may form part of an integrated HR portal, have some integration with the intranet or be a series of disconnected applications.
Instant and video messaging
Internal instant messaging or real-time chat with video messaging is commonplace in organisations nowadays. Skype for Business, formerly branded as Lync, is the ubiquitous tool.
Internal video channels
Some organisations have an internal YouTube platform for publishing and sharing videos.
Digital signage
Digital signage (internal video screens for messaging), usually managed by the internal communications team, is increasingly common in the workplace.
The dominant digital channel, email delivers everything from internal communications to file sharing.
Function specific and other core systems
As well as communication and collaboration channels, there are platforms designed for customer relationship management, financial management, practice management, time recording and much more. Many organisations also use data warehousing facilities complete with reporting suites.
Systems like Salesforce.com and finance and procurement management tools such as, Xero, SAP and Ariba may also hold a surprising amount of commercially sensitive, confidential and personal data in multiple locations, usable in many ways and accessible by many people.
A particularly important example of this (because of the sensitivity of the content) is the systems that you use to compile and communicate Board Packs (e.g. Board Vantage and other similar products)
This is also likely to be true of the systems that are used by your company to take and make payments (particularly if you have a large consumer and/or small & medium business customer and/or supplier base) and to make payroll payments.
Many businesses will also have specific software for running websites such as Sitecorp or Gather Content and may also have web based platforms to support online sales platforms and/or manufacturing/ production and/or staff time recording etc.
In short - whatever your business does is likely create multiple digital shadows and, as all good children's fiction writers will tell you, nasty things normally hide in the shadows - so it is important that you look there carefully!
Employee apps
Your organisation may make mobile apps available to employees on both corporate and employee-owned devices. They may be custom-built or generic ‘off the shelf’ applications. There may even be a corporate app store where the apps are downloadable from.
Client extranets
Though not strictly internal, these channels often have a similar set-up to internal channels and use the same technology as that found in internal collaboration tools.
Under the radar applications
Shadow IT, the use of non-approved applications by individuals and teams for work purposes is a big issue for some organisations. This arises when official systems have gaps and limitations, while easily available alternatives provide convenience, extra features and a superior user experience. In many cases, these offerings are designed for consumers, so don’t have the enterprise features a security conscious organisation with data protection obligations needs. As a result, they risk breaching security and data privacy guidelines.
Conclusion
Take time to really understand your organisation’s digital workplace and think holistically about it as a strategic asset with its own risks. Knowing all the different channels helps to spot specific issues and extend common guidance and polices across a wider scope. It also helps to communicate best practice and safe usage to employees and management in a way that has real impact. Do this concisely, using plain language and simple messaging. And, as the digital workplace is evolving rapidly, stay on top of developments.