“Privacy must be equally available to everyone in the world”

– Sundar Pichai

“Privacy means people know what they’re signing up for, in plain English, and repeatedly. I’m an optimist; I believe people are smart, and some people want to share more data than other people do. Ask them. Ask them every time.

Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you’re going to do with their data.”

– Steve Jobs

“Privacy gives people the freedom to be themselves and connect more naturally, which is why we build social networks.”

– Mark Zuckerberg

Despite these well-intentioned statements on privacy from the world’s foremost tech leaders, there is still a long way to go in making these ideals a reality.

Companies of all sizes are still figuring out how to best protect their customers’ privacy, how to tackle the growing number of privacy-focused regulations, and how to determine what best practices look like. Big tech companies claim privacy by design, offering principles as to how they (as well as third parties) should develop both hardware and software with privacy in mind. But they haven’t exactly been the poster boys of the privacy movement.

Then there are independent bodies like the National Institute of Standards and Technology (NIST), which issued a Privacy Framework draft that discusses how companies can approach Enterprise Privacy Risk Management. NIST isn’t the first entity to tackle this subject. There have been numerous other guidance documents, such as the Fair Information Practice Principles (FIPPS), the Open Web Application Security Project (OWASP) and the National Information Standards Organization (NISO), all of which provide similar, high-level recommendations.

Such guidance is helpful for organizations in a regulatory climate where broad, imprecise language is the norm. The General Data Protection Regulation (GDPR) in Europe is one of the most notable examples, but there has also been a wave of US regulations at the state and federal levels, introduced to enforce better data management practices.

Generally, the intention is to make regulations as widely applicable as possible, without limiting the execution to specific tools or techniques. But such ambiguity has left security and IT leaders scratching their heads.

Privacy is only one challenge that IT teams are facing. IT has become responsible for driving digital transformation, adopting and optimizing new technologies efficiently and compliantly, future-proofing IT infrastructure, securing corporate assets and maintaining business competitiveness.

Mobility has forced infosec professionals to rethink their security practices. The general consensus is that an on-premise security approach is not as effective as it once was due to changing business workflow practices, and this has caused a gradual shift from perimeter-based security toward a zero-trust model.

Operating in an environment where the corporate perimeter is porous and IT teams have diminished control over the devices that are accessing corporate resources, infosec professionals are hungry for data. More data means greater visibility and, theoretically, better protection of corporate assets.

But what does this mean for employee privacy? Does the need for heightened network visibility impinge on employee privacy?

An employee does not renounce their privacy values the moment they walk through the office doors. Privacy isn’t just something companies need to consider in the consumer realm, but also in the employee realm.

When mobility enters the conversation, the notion of privacy becomes quite blurred. Mobile devices are inherently personal, hosting substantial amounts of information on their owners and their social networks. We invariably have our smartphones on us or nearby at all times and, without proper provisions in place, the monitoring of mobile devices can lead to privacy concerns.

So how should security teams consider employee privacy from a mobile perspective?

We propose four principles that can be used to help guide organizations as they establish their privacy policies, develop their internal infrastructures, and design new products.