In the age of enterprise social networking, Yammer continues to be an incredibly popular platform for employees to stay connected and share information. While the platform is great for facilitating collaboration, organisations need to treat it as they would other line of business systems across the company – with clear governance and usage policies as well as oversight across platform activities to ensure neither internal nor external compliance requirements are being violated. This is especially true in Queensland, Australia, where government organisations are subject to the Information Privacy (IP) Act 2009 (Qld).
The IP Act was established “to provide safeguards for the handling of personal information in the public sector environment, and to allow access to and amendment of personal information.” The act specifies circumstances where organisations may transfer personal information out of Australia – which applies directly to Yammer, as data on the cloud-based platform is not stored in Australia and data is often transferred across global data centers. Organisations’ IT obligations (and the business’s data privacy and compliance obligations) are not mitigated if they move their data to the cloud. The opposite is in fact the case. Because of this, employees must be made aware of the ramifications of the information they’re sharing on the network to understand what should and should not be shared through Yammer. At the same time, organisations need to be able identify information transferred through the system that violates the IP Act and automatically take action accordingly.
With effective training, tools for simplifying the evaluation of system privacy, and the right technology in place, organisations can enable their employees to reap the social collaboration benefits of Yammer without fear of violating Australian regulations.
The Importance of Education and Automated Risk Assessment
With the ubiquity of social networks like Facebook, Twitter, and LinkedIn, establishing social media guidelines and training employees on what to do and not to do on the external-facing platforms has become a standard practice for any organisation. When it comes to internal social networks like Yammer, having policies and guidance in place for workers is just as important – if not more important. Just as organisations establish governance policies for collaboration platforms like SharePoint, enterprise social networks should be no different. Through training programs and documentation, empower your employees with the knowledge to use Yammer effectively while avoiding putting anything into the system that could put themselves or the organisation at risk of breaches of personal data.
Just like other technology systems that run across the organisation, Yammer should be included in Privacy Impact Assessments (PIAs) to analyze system privacy risk. Exclusively distributed by the International Association of Privacy Professionals (IAPP), the AvePoint Privacy Impact Assessment (APIA) system is a free tool that automates the process of evaluating, assessing, and reporting on the privacy implications of enterprise IT systems, including Yammer. Already used by more than 2,300 practitioners today, APIA uses a form-based system and built-in workflows to understand how personal information is handled by systems to help comply with global legislation – including regulations specific to Australia. To download APIA for free today and start assessing the risk of your Yammer environment, please visit the IAPP website.
How to Put Yammer Data Privacy Policies into Action with DLP Technology
While education and assessment are critical steps toward a compliant Yammer environment, you cannot count on your employees to do what’s right all the time. While proper training and policies will make it easier for them to do the right thing, technology fills the gap that makes it difficult for them to do the wrong thing. This is where AvePoint Compliance Guardian comes in. As a full Data Loss Prevention (DLP) and Governance, Risk and Compliance (GRC) platform, AvePoint Compliance Guardian mitigates privacy, information security, and compliance risks across your information gateways – including Yammer – with a comprehensive risk management process:
- Scan Yammer content against pre-defined regulatory policies, including the IP Act, based on AvePoint Compliance Guardian’s out-of-the-box checks to report on data and identify vulnerabilities. You can also set up customizable checks based on your organisation’s specific needs.
- Implement Yammer compliance policies with scheduled or real-time scanning, tagging, and action. Based on context, take actions on offending information across the platform. AvePoint Compliance automatically blocks, moves, deletes, quarantines, encrypts, redacts, or restricts access to sensitive data based upon its classification.
- Prove Yammer compliance with ongoing monitoring, detailed reporting, and granular incident tracking. Easily describe your controls and processes for protecting sensitive data across your Yammer network to business users, regulators, and auditors with exportable reports that demonstrate how you have documented, addressed, and plan to continue to enforcing policy compliance on the platform.
How to Unlock Yammer’s Productivity Potential While Maintaining Compliance
Already used by more than 200,000 companies worldwide, the opportunity for enhanced communication, collaboration, and productivity through Yammer is undeniable. Just like other IT systems, though, Yammer should be dealt with properly to ensure compliance with internal and external regulations – and this is no different in the Australian public sector. With the right processes, policies, and technology in place, however, agencies can reap the benefits of Yammer without having to worry about the risks.
To find out more about how Yammer relates to the IP Act, visit the Office of the Information Commissioner of Queensland site. To learn more about how AvePoint can help you maintain a compliant Yammer environment, please visit our website.
Nice post Ed, I have had this come up in conversations previously in Queensland and it is great to see your thoughts on this.
Thank you Roux.
I was looking for information on compliance while still keeping the collaborative feel of Yammer–we want people to feel that the space is theirs without being overtly monitored. Yet as our external network grows, it’s better to have policies in place now than try to catch up later. Thanks for writing this! I’m looking into APIA now.
Thank you Becky. I absolutely agree with you! I am happy to help if you have any questions around APIA.