We don't have all the answers yet, but something needs to be done to prevent total information chaos from spreading through your IT landscape and beyond.
First of all we need to realize that there is no clear distinction between the internal and the external network any more. With people working om mobile devices, using Dropbox and chatting on social networks, it is no longer possible to keep all business data within the company firewall. You can try to contain the situation by blocking social sites, by only allowing authorized devices on your company network and by refraining from using cloud services. You can even try to monitor your employee's tweets.
You will fail. The modern user will find a way to read his company email on his iPhone. He will switch to a new social network site once you think you've blocked them all. Most importantly, he will communicate with colleagues or even competitors while out of the office. The beast of personal communication is out of the cage and he is not going back in.
So, what to do?
My advice is that we should stop trying to control everything. We only need to control the information that is needed for compliance. But what do we need for compliance. I propose to use some common sense and apply some policies form the past to the current digital age.
40 years ago everything was still on paper and we had a clark filing all the paperwork in the basement. That was our records archive and it complied with the regulations at the time. Of course there was lots of social communication then too. Colleagues would discuss business over lunch, journalists would call and people would talk to clients and competitors on conferences. None of that was recorded, so it could not be archived. Businesses did however realize that these informal communications could impact the business, so they made codes of conduct. Don't discuss a client's business with another client, don't speak of our new developments with our competitors and similar rules were determined.
Employees were made to understand the risks to the business and trained in the code of conduct. Those who didn't comply were warned and then fired.
Let's do the same thing in the social media age. Let's take advantage of the upside of
working from anywhere, cloudcomputing and social networks. But let's do it responsibly. Educate employees on the (legal) risks the business is running and that business communications need to be stored and archived. Create a Code of Conduct that describes in broad terms which types of media are deemed suitable for business communication.
Media that are not deemed suitable so should be treated with care. a chat message or tweet may feel just like part of an informal phone conversation, but it is not. It is recorded and easily reproduced, forwarded or retweeted. Make clear in your policies that this is not the domain for sensitive business information.
Once you've determined which media and applications your company will use for official communication, then all others can be placed in the informal phone-like communication category. Then you can say that if someone tweets 'We have a deal' it can be treated just like calling someone and saying 'We have a deal'. You still need the signed contract and the contact will be treated as a record, not the phone call.
Summary
In order to avert compliancy chaos we need:
- Determine what will be our company's official communication channels
- Have a Code of Conduct
- Train our employees to use only the official means for official communication
- Train them to be carefull with other digital communications
- Trust them to do their job
Tell me what you think. How will you handle the regulatory nightmare that is coming our way?
No comments:
Post a Comment