There’s no doubt that a tool like Slack can improve communication and collaboration within a company—but it also introduces certain legal and compliance risks. Just ask luggage company Away.
Late in 2019, the company was rocked by a scandal that was a direct result of its use of Slack. The Verge journalist Zoe Schiffer published an exposé claiming that several employees had been fired because of a Slack channel they’d created to vent their frustrations about the company.
This private channel called #Hot-Topics was against company policy. Away had outlawed the use of email internally and also discouraged direct messages and private channels—employees were supposed to make use of public channels to create a culture of transparency and collaboration.
But according to Schiffer’s article, it had the opposite result. “The rules had been implemented in the name of transparency, but employees say they created a culture of intimidation and constant surveillance. Once, when a suitcase was sent out with a customer’s incomplete initials stenciled onto the luggage tag, CEO Steph Korey said the person in charge must have been ‘brain dead’ and threatened to take over the project,” the article claims. “‘Slack bullying is a thing,’ explains a former member of the creative team we’ll call Erica. ‘In my experience there, it’s extensive and relentless. It wasn’t just co-workers pinning things on other people—it came from the execs.’”
The CEO also found out about the #Hot-Topics channel and joined the conversation. “She’d found out about the channel from Erin Grau, the head of people, who said language in the room had made at least one person uncomfortable. ‘I thought, Damn, she’s gonna see us talking about some stupid stuff, but whatever,’ recalls a former marketing manager named Emily. She hoped Korey would at least find the conversations funny. That hope evaporated the next day when Korey began calling people into a room one by one. There, flanked by the company’s head of people and general counsel, she told six people they were being let go,” states the Verge article.
Balancing Transparency, Privacy, and Security on Slack
As is almost always the case, the two sides disagreed about some of the facts, but regardless of who was right or wrong in this instance, the article still highlights some difficult questions that every modern company needs to wrestle with: What does acceptable use of an enterprise collaboration tool look like? How and when should policies be enforced? How active should top company leaders be on these platforms? Do employees have a right to a certain level of privacy on a tool like Slack?
These are not easy questions to answer. And they are complicated by the fact that companies also need to manage the data security risks associated with these platforms. As with email, employees can (intentionally or unintentionally) share restricted information that should not be shared, so some form of platform monitoring is not only advisable but essential.
How to Mitigate the Legal & Compliance Risks of Slack
So how can organizations create an environment where legal and compliance risks are mitigated, but employees don’t feel as if they are under constant surveillance?
1. Set Clear Policies
When it comes to encouraging proper use of a collaboration tool, setting expectations is crucial, which is why clear policies are important. Companies should have formal policies in place that guide the use of an enterprise collaboration platform. Specifically, there should be a communication policy that outlines how employees should communicate on the platform (no profanity, no bullying behavior, etc.), and there should be a security policy that explains how sensitive data is monitored and protected. These policies should not only state how the platform is being managed, but also explain why certain actions are being taken. Transparency is also crucial. If, for example, conversations are being monitored, or managers have access to private messages and channels, this should be stated clearly.
2. Provide Mandatory Training
Employees need to be given mandatory training that outlines exactly what acceptable use of a collaboration platform looks like and discusses company policies in detail—they shouldn’t be expected to read (and sign) these policies on their own, but should instead be walked through them as a regular part of onboarding. Even though this can be time-consuming, it is one of the most effective tools available in combating improper use of a team collaboration tool.
3. Carefully Manage Users, Groups, and Roles
The best way to prevent users from creating unsanctioned private or public channels is simply to restrict their ability to do this, so as a company grows, leaders should limit the ability to create new channels to key personnel. You may even want to limit the people who are able to post in large company-wide channels, as these can otherwise become very noisy and disruptive. And if some executives need access to private channels and conversations, this should be limited to essential stakeholders, and employees should be made aware of who these individuals are and why it makes sense for them to have access.
4. Find the Shadow IT
Employees looking to keep their conversations private might resort to a collaboration tool that isn’t sanctioned or managed by the organization. Or they might simply find a tool that works well for their department and implement it without authorization. In either case, this sort of “shadow IT” poses a real threat to data security—and it’s a problem within most companies. In fact, a 2019 survey found that 67% of teams in large companies had introduced their own collaboration tool without the input of any other department. So, compliance teams and IT departments need to ensure that they unearth all the shadow IT lurking within the company and make sure that they have control of all collaboration tools.
5. Monitor the Platform Intelligently
As mentioned earlier, companies need to monitor collaboration platforms to curb data loss but this doesn’t mean that employees need to be under constant surveillance from IT and HR teams. Modern monitoring and data loss prevention tools can automate this process, necessitating human involvement only once suspicious behavior has been flagged. Large keyword libraries of inappropriate language (like profanity) and sensitive data (like credit card numbers) can be used to monitor conversations in real-time without anyone “spying” on employees. If the use of one of these keywords is identified, an administrator is sent a notification.
6. Collect and Preserve Data
The Away example perfectly illustrates how Slack data could become central to a legal matter. If a case like this finds its way to court, legal teams would need to submit authenticated evidence. This means Slack data needs to be collected and preserved in a format that would be accepted by a court. The best way to do this is to rely on an eDiscovery solution that automatically collects and preserves this data (including edited and deleted content) for use by legal and compliance teams. This kind of solution makes it easy for teams to access, search, and export evidence without any involvement from the IT department.
7. Manage Data Retention Settings
Another crucial step in managing the eDiscovery of a team collaboration tool is setting correct retention settings. Team collaboration tools allow you to set retention periods for channels and conversations — Slack, for instance, retains all messages for the lifetime of a workspace by default. You want to make sure that these settings align with the retention periods of your larger organization. You might not want to retain messages forever, but you also do not want to delete data too quickly, leaving legal, compliance, and HR teams unable to retrieve these records.
New Tools Require New Rules of Engagement
It’s up to each organization to decide how they want to manage the use of Slack (or any other tool, like Microsoft Teams or Workplace from Facebook), but it’s important to remember that a team collaboration tool is a new form of business communication that demands unique “rules of engagement”.
While it requires the same retention, collection, and preservation as email, it is in many ways more like a face-to-face conversation or an in-person meeting than a carefully-crafted email. People will say things without thinking. There will be attempts at humor that fall flat. Even the most considerate and thoughtful employees will post something inappropriate in a moment of frustration. But unlike with a face-to-face conversation, a momentary lapse in judgment can be captured on Slack forever.
So while it is crucial to actively monitor a team collaboration tool and enforce policies, employees should also be allowed to express themselves without fear that every off-the-cuff remark will result in serious disciplinary action. Employees should be given the benefit of the doubt and the context of any remark should always be considered, because without a sense of psychological safety, effective teamwork and collaboration can’t happen.
See how Pagefreezer can help mitigate the legal and compliance risks of Slack. Visit our Enterprise Collaboration page, or download our case study to see how Pagefreezer assisted a leading financial institution with the secure implementation of a team collaboration tool for 80,000 employees.