Beyond Cybersecurity: Why Your Organization Needs an Employee Privacy Strategy

Maintaining security for any organization is like aiming at a moving target. You’ve invested in firewalls, multi-factor authentication, and other technical processes to protect your data and your team. Your IT infrastructure is locked down. But when a staff member asks what to do after being targeted by an online harassment campaign, your cybersecurity measures won’t help.

Employee privacy is more than a subset of cybersecurity, but rather a distinct concern that requires its own strategy. However, the reality for privacy protection is as sobering as the security landscape. You can’t prevent every privacy breach or harassment incident. But you can establish clear, proactive policies and provide resources that demonstrate your commitment to protecting your team.

What is the organization’s role in protecting employee privacy?

Employee privacy starts with recognizing what you can control as an organization. Much of an individual’s online presence remains beyond your reach, but you have direct authority over how your organization handles and shares employee information.

Why consent is critical before publishing staff information

Before posting staff names, photos, or biographical information on your website, you should obtain explicit permission from each individual on your team. 

Your team members may have personal histories that lead them to prefer a lower online profile. They may have had run-ins with stalkers, or they may be estranged from family members. Or, they may simply opt to maintain a clear separation between their professional and personal lives.

Out of respect for these circumstances, some organizations choose to remove their staff page altogether or display only first names. If you maintain a public staff list on your website, you should check in with new employees about their preferences as a standard part of onboarding.

The same principle applies to your organization’s social media use. Before you celebrate a new hire with a public LinkedIn post or tag team members in conference photos, check with each individual first. A seemingly innocuous post can expose information that puts people at risk.

Prepare staff to respond to probing questions

What’s the protocol when someone calls or messages the organization asking about an employee? (It might be an estranged family member someone is trying to avoid, or it might be someone using a fake name to gather information.) These inquiries should always be declined and then reported to a designated manager rather than answered directly.

Your employee handbook should include explicit guidance on this protocol. Make a plan to train staff on how to respond if they receive calls, emails, or social media messages asking about colleagues.

The value in offering privacy-protection resources

Instead of posting staff email addresses on your website, you can use contact forms protected with anti-spam measures. If specific team members need to be reachable to those browsing online, provide an organizational email address that can be reassigned when people leave.

You can also provide your staff with VoIP work numbers during onboarding rather than requiring them to use their personal phone numbers for professional reasons. Whether through managed voice services or VoIP platforms, these phone numbers serve multiple purposes beyond privacy. When staff leave, you want calls from donors or external contacts going to a number you control rather than following a former employee to their next role.

Similarly, you should ensure your team uses an organizational address when registering for conferences or other work purposes requiring personal information. Your staff shouldn’t have to expose their home addresses to fulfill professional obligations.

Other employee privacy protections worth considering

For organizations with budget flexibility, you can provide automated data removal services as an employee benefit. These services work to scrub personal information from data broker sites, which are frequently used by harassers to build target lists. This investment makes it harder for bad actors to access your team’s phone numbers and addresses through simple online searches. Personified can connect you with trusted providers and help evaluate which services make sense for your needs and budget.

For staff members at higher risk—those who have already experienced online harassment or who conduct high-profile press interviews—more intensive one-on-one privacy support services exist. These services provide executive-level privacy and security support customized for each individual. Personified also has relationships with privacy specialists who can provide this level of support for our referrals.

If your staff want to clean up their social media footprint, other tools can help implement customized retention policies for platforms like X (formerly Twitter). We can also introduce you to providers who will work with your team to manage your employees’ past posts in a strategic way.

How to build an online harassment response policy

Every organization should establish an online harassment response policy before an incident occurs. Staff trust erodes quickly when organizations aren’t prepared to respond to harassment. If someone reports they’re being doxxed and receiving physical threats, and you haven’t had that conversation about the right support to offer, you lose credibility when a team member needs you most.

Key elements of an effective online harassment response policy

This is incident response planning for employee privacy, and it follows the same logic as a cybersecurity incident response plan: You hope you never need it, but you should be ready just in case.

1. Establish clear reporting channels

Who should staff contact if they’re experiencing online harassment? Ensure that there is a designated communication channel where impacted staff can make a report, and where those responsible for responding can coordinate a response.  

2. Be realistic about the support your organization can provide

Budget plays a role in the level of response you can offer to an employee targeted for harassment. Some organizations offer generous policies that include:

• Safe lodging for staff receiving physical threats (hotel stays for a week or longer)
• Stipends for physical security measures like security cameras
• Funding for specialized crisis response support

If you can’t provide support at those levels, your harassment response policy should clearly outline what your organization can do. You can offer resources, guidance on reporting to platforms and law enforcement, and connections to privacy specialists. 

Research whether any hotlines or support organizations exist that specialize in supporting employees doing work related to your mission. 

3. Document your incident response plan

A documented response policy is valuable not just for the individual facing harassment, but for your organization as a whole. List contacts for crisis communications firms and lawyers you work with so this information is readily available during an incident.

Consider resources like the PEN America Online Harassment Field Manual and Right to Be’s guide for organizations. 

When you partner with Personified, we help you develop these policies and connect you directly with vetted privacy specialists through our referral network. Our introductions ensure you’ll work with founders and senior leaders who will prioritize your organization’s onboarding and support needs.

4. Provide privacy guidance for new staff

We can recommend resources about conducting “self-doxxing” exercises — helping staff search for their own information online to understand their digital footprint. A number of organizations offer comprehensive privacy guides specifically designed for activists and nonprofit professionals, including Access Now Self-Doxing Guide, PEN America’s Online Harassment Field Manual, and the Privacy Guide for Activists with Haters. 

5. Consider monitoring platforms for high-risk organizations. 

Most Personified clients can meet their monitoring needs through Google Alerts and periodic manual searches. However, if your organization is facing persistent threats, more sophisticated measures may be appropriate from companies that monitor social media platforms, criminal forums, and other sources for mentions of your organization or employees. Involving your legal and communications teams in the rollout of these platforms is critical.

Responding to active harassment situations

If a staff member is currently experiencing online harassment, immediate action matters. The Digital Defense Fund’s Online Harassment & Doxxing Response guide recommends:

• Prioritize physical safety first. If someone is receiving physical threats and their address has been shared, help them relocate to a safe place immediately—whether that’s staying with friends, having someone stay with them, or providing hotel accommodations.
• Lock down their online presence. Make social media accounts and personal websites/blogs private while the harassment campaign is active.
• Document everything systematically. Take screenshots of all harassment and store them in a secure place, such as through a dedicated folder in Google Drive.

For more detailed guidance, review Pen America’s guide on what to do when you’ve been doxxed or otherwise targeted with online harassment.

Where IT can help with employee privacy (and where it can’t)

Your IT team can implement privacy-protective technologies and integrate them into your organization’s technology stack. When harassment campaigns target work email accounts, you or your IT partner can implement email quarantines that filter messages containing specific keywords to designated reviewers rather than flooding the targeted employee’s inbox. 

For example, harassment campaigns often use repeated vulgar keywords. These systems can automatically route flagged messages away from the targeted staff member to designated quarantine managers for review—providing immediate relief for email harassment.

IT teams cannot control the harassment protections in place for various social media platforms. These tools vary, and each platform has different reporting mechanisms and effectiveness levels. This distinction matters because it clarifies where your organization needs to look for support. 

IT handles the infrastructure and accounts your organization controls. Privacy specialists, digital rights organizations, and crisis communications firms handle the rest. Personified can bridge this gap by helping you understand which privacy services make sense for your needs and connecting your organization with specialists when issues extend beyond IT infrastructure.

Setting realistic expectations about employee privacy 

Here’s the uncomfortable truth: even if you implement every best practice, determined harassers can still find ways to target your staff for harassment. This reality doesn’t negate proper privacy protections. Conversely, it underscores the importance of preparation while revealing a need to calibrate your expectations appropriately.

You’re not trying to achieve perfect prevention—you’re putting barriers in place that make you and your team a harder target. You’re showing staff that their organization takes their safety seriously by creating clear response protocols when incidents occur so there is a clear action plan during a crisis. The goal is doing what’s reasonably possible while acknowledging limitations, not making false promises about foolproof protection.

The way forward for protecting your employees’ privacy

Employee privacy demands its own strategy, separate from cybersecurity planning. The threats look different, the solutions involve different tools and specialists, and much of the risk falls outside what IT infrastructure can address.

Personified works with mission-driven organizations to develop employee privacy strategies that integrate with your IT infrastructure. We can help implement technical solutions like VoIP systems and email quarantines and connect you with our network of trusted privacy specialists. 

Organizations that think proactively about employee privacy demonstrate genuine commitment to their teams’ wellbeing. The benefits encompass not only their productivity or security, but also their safety in an increasingly hostile digital environment.

Curious to talk about the next steps for your employee privacy strategy? Let’s connect and talk about how we can help your organization.