Balancing Risk and Compliance

An expert on workplace e-privacy has compiled a list of the top 10 best practices for organizations seeking to maximize compliance and minimize risk.

Tuesday, October 16, 2007
Write To The Editor Reprints

1. Put Acceptable Usage Policies In Writing.

Don't rely on e-mail or the Intranet alone to inform employees of e-mail and Web policies and procedures. Distribute a hard copy of each policy to every employee. Require employees to sign and date each policy, acknowledging they have read it, understand it, and agree to comply with it or accept the consequences, up to and including termination.

2. Educate Employees About Risks, Policies and Compliance.

Don't assume employees understand e-mail and Web risks, and don't expect untrained employees to comply with acceptable-usage policies. The courts appreciate best practices-based policies that are supported by mandatory companywide training and backed by a combination of disciplinary action and management technology.

3. Establish E-mail Business Record Retention Guidelines.

Should you ever face a workplace lawsuit, e-mail business records will be subpoenaed as evidence. Nonetheless, 43 percent of business users report that they do not know the difference between business-critical e-mail that must be retained and nonessential messages that can be purged from the system. As part of your strategic e-mail management and acceptable-usage-policy program, be sure to define "e-mail business record" for your organization. Based on that definition, consistently apply formal retention rules, policies, procedures and schedules to business-related/business record e-mail.

4. Set Rules for Personal Use.

Use acceptable-usage policies to spell out exactly how much personal e-mail use and Web surfing is allowed, when, with whom and under what circumstances. Be clear. Use specific language to prevent misunderstandings or individual interpretation of policy. 

5. Recap Harassment, Discrimination, Ethics, Confidentiality, Security and Other Policies.

Company policy is company policy, regardless of the communications tool employed. Make sure employees understand that all company policies -- including but not limited to those governing harassment, discrimination, ethics, confidentiality and security -- apply to e-mail, Web use and content.

6. Stress Compliance with Sexual-Harassment Policy.

Because of the relaxed, informal nature of e-mail, some employees will write comments they would never say aloud. Make sure employees understand that, regardless of how it is transmitted, an inappropriate comment is an inappropriate comment. All it takes is one off-color joke, "naughty" photo, sexually charged cartoon, or otherwise offensive message to trigger an expensive, protracted legal claim alleging a hostile-work environment.

7. Address Monitoring and Privacy.

Use clearly written, comprehensive acceptable-usage policies to notify employees -- in clear and specific detail -- of the organization's monitoring policies and practices. While only two states (Delaware and Connecticut) require employers to notify employees that they are being monitored, 89 percent of bosses alert workers that their Web usage is being tracked, and another 86 percent notify e-mail users that they are being monitored, according to American Management Association/ePolicy Institute research.

8. Enforce Content Rules.

Newsletter Sign-Up:

HR Technology
Talent Management
HR Leadership
Inside HR Tech
Special Offers

Email Address

Privacy Policy

Communicate the fact that e-mail and the Web are to be used primarily as business communications tools. Clearly define approved and banned language and content. Insist that employees behave professionally and adhere to the rules of civil business behavior, also known as "netiquette" or electronic etiquette, when using the organization's e-mail and Internet systems.

9. Support Acceptable-Usage Policies with Technology.

Because accidents happen (and disgruntled employees occasionally trigger intentional disasters), it's impossible to ensure 100 percent compliance. Support written rules with policy-based technology tools, designed to monitor and filter content, block access to inappropriate sites, lock out malicious intruders, and retain and archive all-important e-mail business records.

10. Don't Allow Employees to Dismiss Policy as Unenforceable.

Make sure employees understand that their computer activity may be monitored. Stress the fact that policy violators will face disciplinary action that may include termination. Let employees know you mean business by enforcing your e-mail and Web acceptable-usage policies consistently among all employees, regardless of rank or title.

An international speaker and trainer, the ePolicy Institute Executive Director Nancy Flynn is the author of eight books published in five languages. As a recognized authority on workplace e-mail/IM/blog/Internet usage, Flynn is a popular media source who has been interviewed by Fortune, Time, Financial Times, Newsweek, The Wall Street Journal, U.S. News & World Report, BusinessWeek, USA Today, New York Times, National Public Radio, CNBC, CNN, CBS, ABC, NBC, and Fox News among others.

Copyright 2017© LRP Publications