If you’re a soccer fan, thinking back to the year 1986 will probably remind you of the nail-biting final between Germany and Argentina that the South Americans narrowly won (unlike the devastating 0:4 loss they received this year, but that’s only by the way). If you are a data protection professional, however, harking back to 1986 will probably conjure up memories of the widespread street demonstrations during the run-up to the German census.Of course, the 80ies saw a lot of protest movements; atomic weapons and the new runway at Frankfurt International drew angry crowds, but resentment of what many saw as uncontrolled and unwarranted collection of personal data was up there among the chief causes for civic unrest. Why, many asked, does the state want to now so much about our personal lives, and especially about immigrants and other foreign nationals residing in Germany? Was there some sinister plot abroad instigated by creepy bureaucrats lurking behind unmarked doors?
Now fast forward to the year of grace 2010, and how different things seem. Once more, a decree has gone out that all the world, or at least the German part of it, should be registered - but where are the protesters, where the councils of concerned citizens, where even a couple of angry letters to the editor? At least for now it seems the German population could care less who wants to know what about their lives and habits. This represents at the very least a change in temperament and begs the question: Don't our kids, who have grown up amidst social networks of almost every description, give a hoot about these things? Or maybe it's just another symptom of disenchantment with politics in general?
In fact there are a number of issues surrounding the upcoming census that need to be addressed and that citizens, and even more so enterprises, ought to be concerned about and aren't. So maybe we should take a closer look at the world of the so-called Digital Natives and ask: How do these young people feel about privacy? What influence do social networks have on their attitudes towards data protection? And above all, what can companies learn from this?
We've seen it all before in our circles of families and friends: nieces, nephews and of course our own kids seem to be online 24 by 7. Texting is out, Twitter is in! The days when teenagers spent countless hours on the phone are over; today's adolescents prefer to foregather online and communicate with their peers via Facebook, YouTube or whatever network they happen to frequent. They spent countless hours updating their profiles, and everybody seems to know everybody, at least three mouse clicks removed. Today, everyone's "friends", and they want to exchange stuff - texts, photos, videos - regularly, if possible in real-time, at least as long as the weekly allowance doesn't run out. Welcome to the bright new world of instant, total communication and Web 2.0.
To store and share information online instead of on their own hard drives is to these youngsters as natural as wearing cargo pants and getting pierced, and the same goes for the ubiquitous Internet. This is good news, of course, for future bosses and HR managers since it means they won't have to train these budding Knowledge Workers of tomorrow in things like using SaaS applications and storing things in the cloud. After all, desktop publishing is so 20th century; the Net Generation run up their school yearbooks in "Web2Print" Shops where anyone can lend a hand with the layout or upload texts and pictures. Reservations, not to mention worries, about technology in general and data collection, storing and publishing in particular? I don't think so!
The Participatory Web has taken parents, teachers, professors and most especially security experts completely by surprise. Young people, it turns out, are oblivious to things like security governance, and parental oversight is apparently an outdated concept. Unfortunately, this also means a total lack of control over what kids do or don't do online, and the same goes for when they enter the working world.
Enterprises - stuck in the Web
Take just one example: personal resumes. Time was when HR managers could rely on an applicant's honesty, or at least they could catch them out if they fibbed. After all, they had to attach school reports, training certificates and other official documents that were easy to verify. Background checks were only necessary for jobs in sensitive fields such as defense contracting or military intelligence. Calls to personal references like in the U.S. were virtually unheard of on this side of the Atlantic.
Today, HR routinely uses the Web to scan candidates and to catch them out if they have "invented" some previous position or awarded themselves job skills which they in fact lack. A quick Google query and the applicant becomes almost completely transparent, thanks to LinkedIn, Plaxo, Xing, Yansi or especially Facebook. Within minutes they can assemble a portfolio complete with more personal information and private pictures (sometimes showing candidates in rather embarrassing situations) than the former census opponents could have imagined in their wildest dreams!
Okay, the information isn't being stored in a central location (where, incidentally, it would be quite secure since it would be intended for the eyes of state officials only) but is distributed willy-nilly around the Internet. But on the other hand, there is not even a rudimentary form of access control and in most cases the owner is no longer in charge of his or her information, as numerous cases of "data leakage" from online communities have proven in the past. This can end to downright de-facto „data dispossession", with the operators of social networks disputing the right of the owner to have the final say over how their data is used or to whom it is distributed.
Most job candidates are in effect offering offer potential employers a comprehensive overview not only of their professional careers, but their private lives, as well, along with a deep glimpse into the depths of their souls and their social relationships. And the best thing, at least from an HR perspective, is that this is all completely free and totally legal! One of the most popular German social networks for young people, "Wer-kennt-Wen" (or "wkw" for short), of which the author is a member, now post warning signs for new members that read: "Your boss can read your profile". They also publish guidelines aimed at helping youngsters (and grownups, too!) to grasp the basic rules of privacy and social governance.
Web 2.0 on the job
Due to their great popularity and widespread acceptance (not to mention peer pressure), social networks can be a major hazard for enterprises, as well. Many personal profiles that are posted in business communities not only give the viewer an idea whom they are dealing with and how qualified he or she may be, they also provide loads of information about their employers' organization and modus operandi. Besides, many business networks not only show the person's job contacts within the firm, but also which suppliers, contractors, consultants and even customers he or she deals with. By leisurely perusing the postings on an employee's community homepage, a competitor can gather lots of info about a company's business relationships, projects and cooperation agreements.
Networks and communities are only part of the problem; the others are private and professional forums, blogs and instant messaging systems such as Twitter. Staff members with lots of exposure usually have lots of "followers" who regularly read what they write. If employers do not have policy guidelines in place that set out what may and may not be divulged online, this can prove to be a train wreck waiting to happen, or at the very minimum a PR disaster in the making. A corporate culture of open communication is fine and good, but only if employees have been briefed on what is acceptable behavior in online communities. The PR department should be involved in setting up such guidelines, as well as legal and management, of course. Even better is an official company agreement which, don't forget, will in most cases need to be passed by the works council, too. On the other hand, there simply is no way for an employer to force everyone to submit web postings prior to publication; you'll just have to trust your people - and hope for the best!
Security governance for communities
Communications and behavior guidelines for Web 2.0 should be part and parcel of any comprehensive strategy aimed at dealing with corporate security. These should not b repressive, but should instead try to incorporate the benefits of the new technology and make it work for the company, not against it. Things like official Twitter hash tags, corporate blog sites and closely-monitored customer forums are a step in the right direction, but given the prevalence of private blogs and online communities they can necessarily address only part of the problem. Management will have to strike a balance between corporate interests and undue (or unlawful) interference with employees' rights as netizens. In fact, some enterprises have begun to encourage their customer-facing staff to use platforms such as Facebook, Slideshare or YouTube to distribute sales presentations, restricting themselves to setting out guidelines for correct use of brand names or job titles in their network profiles. Others have established their own "corporate pages" in networks like Xing or Facebook and urge their people to frequent them.
A sure recipe for trouble is to try and plug the dike by forbidding employees to visit Facebook or other social sites during working hours. That is the equivalent of sticking one's head in the sand and ignoring the new reality of modern telecommunications. Unless your company is involved in extremely sensitive work, say in arms production or aerospace, this option is simply not on the table.
Enterprises operating in other fields should welcome the chance to open up their communication channels in order to receive unfiltered feedback from customers and partners, and to showcase their own strengths and achievements via social networks. Of course, this means that existing works agreements and non-disclosure rules need to be updated or completely rewritten, and maybe it would be a good idea to hold seminars for employees in order to bring them up to speed on proper conduct when online. That way, you can generate cooperation and make sure everyone understands the problem so that digital information and identities can flow freely over the Internet.
The upcoming German census in 2011 might prove to be a good starting point for will boost awareness both among employees and citizens about the risks involved in being too generous with private and business information.