“As data becomes the key resource for every business, the security and privacy of data becomes every organization’s concern.”
STUART BERMAN | IT Security architect at Steelcase
Data Privacy in a Connected World by Design
The Smallest Actions Can Have the Biggest Implications
Every day we trade private communication about ourselves inreturn for digital devices. We make an online purchase, use a search engine, or download an app, and Google, Facebook, Apple, Amazon and others harvest data about where we go, what we buy, who we interact with online.
For many people this is a reasonable trade, data for services that make life easier, more interesting, more fun. Others are less comfortable about this tradeoff. Yet everyone expects their personal data to remain private and secure.
“Privacy in the workplace used to be about audio privacy, visual privacy, territorial privacy and informational privacy,” says Steelcase Senior Design Researcher, Melanie Redman. “These are types of privacy people say they need in order to focus.”
“What’s changed is how we think about informational privacy: now we think about data privacy and about psychological privacy, because our perception of privacy impacts all of our other experiences. Privacy is more contextual in the workplace, more personal and a topic of growing importance in every organization.”
Privacy in a Connected World
Privacy is not a new issue for Steelcase. The company has conducted research on privacy in the workplace for over two decades, and three years ago began to study digital privacy issues.
“Organizations have made assumptions about digital privacy, but those assumptions had never been tested. The assumption was that people are willing to trade personal data in return for services, such as web searches or connecting with other via social media, so they would be willing to make the same trade at work. In other words, they would allow the collection of data in return for helpful business services. We wanted to test those assumptions,” says Redman.
Steelcase surveyed 3,000 people around the world about privacy concerns in the workplace. A major finding: employees’ attitudes about privacy are remarkably consistent across geography, gender and demographics. This calls into question popular notions about privacy, such as assuming younger workers, who constantly share information via social media, are less concerned about data privacy. It turns out that privacy attitudes don’t vary age; they vary by the type of organization people work in, and by the ways people work.
Attitudes about privacy differ, for example, based on how mobile a worker is, how readily they adopt new technology or how collaborative they are in their work.
Two dimensions of privacy have moved to the forefront for employees. One is being able to control stimulation and distraction, a fallout from more open workplaces and the use of mobile devices. It’s hard to find quiet, private time and harder to disconnect from work. Controlling stimulation can be accomplished through the physical workplace and Steelcase has many strategies to help companies provide places for privacy, rest and rejuvenation.
The second ascendant issue is controlling information. The proliferation of data and the increased ease of aggregating and deriving value from it mean it’s harder to control who has our information and what’s done with it. Losing control over your data causes anxiety because controlling your information is essential to privacy.
“The world is increasingly digital and data driven and we’re rapidly entering a future where everything will be connected. As data becomes the key resource for every business, the security and privacy of data becomes every organization’s concern,” says Stuart Berman, IT security architect at Steelcase.
To ensure the responsible collection, analysis, and management of data, Steelcase designs all of its technology products to strict privacy and security standards. “We know how important it is for companies, and individuals, to control their information. So before we developed any digital products at Steelcase, we establish company principles of privacy by design, and data security by design,” says Barbara Hiemstra, Steelcase privacy engineer.
Meet Steelcase’s Privacy Engineer
High-profile security breaches, social medial user tracking, protecting and securing data from cyber attacks: The realities of the connected world have led to an emerging profession, the privacy engineer, an increasingly common position at web and software companies. Barbara Hiemstra is one of the first privacy engineers in the office furniture industry.
“I’m part of the IT security team that interacts with researchers, designers, software developers, legal experts and others to help ensure that privacy is an integral part of the design process. We recommend privacy-enhancing technologies to mitigate privacy risks, conduct privacy-related risk assessments and help integrate privacy into the software engineering lifecycle,” says Heimstra.
Her team also informs users in cyber hygiene: individual behaviors to maintain a “healthy” (secure) online presence. This includes password maintenance, software and virus protection updates, data backups and other strategies. The content is made available to Steelcase dealers, who in turn can offer it to customers.
“Big data is an awesome tool, but it comes with a big responsibility,” warns Hiemstra.
This approach stems from Steelcase’s longstanding user-centered design process for developing new products. “We don’t create a chair, for example, based on what we believe the customer wants. We talk to them first, we go into the field, we observe how people work, the issue they have. We draw insights from those observations, and we engineer and design around those insights. So we do the same work before we develop our digital products,” says Redman.
One of Steelcase’s first digital products, introduced in 2017, is Workplace Advisor. It collects data about how the workplace is used in order to help organizations understand how to best use their real estate and create more effective workplaces.
“We are completely transparent about all the customer data Workplace Advisor collects, how we use it, how we secure it. We want our customers to completely understand the process,” says Shawn Hamacher, assistant general counsel at Steelcase.
“Privacy by design means we build privacy into the product. You don’t try to bolt it on afterwards. Privacy is part of each digital product’s DNA.”
To safeguard the confidentiality and privacy of the data collected by Workplace Advisor, Steelcase uses the Microsoft Azure IoT platform with its strong security and privacy guarantee. In addition, Workplace Advisor systems will be audited against the Service Organization Controls (SOC 2) framework. Developed by the American Institute of Certified Public Accountants, this includes third-party audits and reports available to Steelcase customers who use Workplace Advisor.
A Global Standard
Privacy standards evolve, of course. For example, Europe recently has taken the lead in digital privacy by establishing the General Data Protection Regulation, or GDPR, which went into effect in May. GDPR increases privacy protection for all individuals in the European Union. Steelcase will comply with GDPR for all of its digital products customers, not only those in Europe but around the world.
“It’s the most stringent standard globally for data privacy and security, and we’re using it for all our customers’ data. It doesn’t matter if you’re a Steelcase customer in Europe, Asia, Africa, North or South America, any country—our digital products will comply with GDPR,” says Berman.
“We want all of our customers to understand that privacy and security by design means transparency in how we operate, how data is gathered and used, and how we protect that data,” adds Hamacher.
The same applies to all Steelcase digital products, including Steelcase Find, a mobile app that helps people quickly locate workspaces and colleagues, which makes it easier to connect and collaborate the core work of the innovation economy.
“High expectations and tough requirements have always been part of the development at Steelcase,” says Steve Rodden, who heads the development team for Smart + Connected products. “As a company, we’re used to dealing with regulatory guidelines, quality standards and different compliance issues for furniture. We want to not just meet basic standards. We want to be excellent in those areas, so we set even higher design, engineering and manufacturing requirements of our own. It’s the same with digital products. We want to lead in data privacy and security, so it was an easy decision for us to set stringent data privacy and security standards as part of our development process.”
Business runs on data. Every time we trade information for a digital product, we help fuel the new global economy. Users must be able to rely on organizations to be fully transparent about how they collect, store and analyze that data.
It’s important that our customers understand that the everyday transactions of data in exchange for helpful services rest on a foundation of privacy and security,” says Hamacher. “We’ve stood behind our products for over 100 years and that’s going to change because it’s a digital product. How we operate is how we’ve always done business. It’s all about trust.”