Skip to main content

The myth of the CEO’s surveillance dashboard

·4 mins
HR and Employment Privacy Culture Automated Decision-Making Executive Communication Compliance Monitoring

Workplace surveillance is rarely a simple top-down pyramid, but a recursive trap where “Dataism” judges the C-suite and the true “ultimate dashboard” sits not in the boardroom, but with the IT administrators.

Workplace surveillance

I’ve delivered various employee education sessions covering workplace surveillance over the years, and recently updated the material taking into account the vast amount of change we’ve seen in the past year or so, technological, societal and bringing in some interesting cases. I also wanted to bring in the reality I believe exists in quite a few companies, but I also know this can vary depending upon location, local cultural norms, industry sector, etc.

We sometimes visualise workplace surveillance as a pyramid where the CEO sits at the top with a clear view of the bottom. But the reality is that surveillance is rarely a simple top-down model. Instead, companies build complex hierarchies of surveillance where the “watchers” are also the “watched.”

When C-suite executives require workplace analytics, they are often driven by Dataism. They believe the dashboard reveals the truth about efficiency and by accepting this logic, they inadvertently validate the metric as the ultimate judge of value. If the truth of the company is found only in the data, then the executive’s own value must also be measured by that data, and I think that they are not the “masters” of the algorithm because they are also its subjects (or victims).

Once the norm of Dataism is established, it inevitably travels upward:

  • Managers and supervisors are monitored to ensure they enforce protocols. Their ability to manage efficiently becomes an important KPI.

  • Companies use metadata to assess management performance, so if a department is flagged for say, low engagement by a piece of software, the VP of that department is the one being judged.

Does the CEO have the “ultimate dashboard"? In my career spanning 5 decades, I’ve been in quite a few CEO offices and I’m yet to visit one that resembles a control room, or has various banks of cameras. The CEO is usually too detached and busy to monitor raw surveillance feeds. So, where does the “ultimate dashboard” actually sit?

I think in many cases, the person with the most granular view of a company, including the movements and messages of the C-Suite, is a mid-level Systems Administrator or a Security Operations Center (SOC) analyst. This inverts the hierarchy because a junior employee technically has surveillance power over the executive team. Obviously legal controls should prevent unauthorised disclosure of this powerful information but a dangerous information asymmetry does exist. The CEO doesn’t see the data. They see a sanitised report filtered by the very people the data is supposed to measure.

Another interesting question is do CEOs make the ultimate decision to procure and implement the surveillance tools? Often, the answer is no. Most large companies use various platforms to help run their businesses, but they are also governed by their mechanisms because the surveillance infrastructure is not always a strategic decision made in the boardroom. It inadvertently begins in procurement and gets implemented in the server room.

For example, the CTO procures Microsoft 365 or Zoom for communication where “Productivity Scores” or “Attention Tracking” features are embedded in the platform’s architecture. The decision to surveil wasn’t made by the CEO, it was made by the platform vendor and enabled by a sysadmin. And of course CISOs buy tools for security.

So the CEO rarely signs a document that says, “Let’s spy on everyone.” They sign a budget for “Digital Transformation,” and the surveillance apparatus is built one piece at a time.

On a final note, years ago I worked with a company where it was a revealed that the company’s CEO had made a request to the CISO in surveil another member of the c-suite - all behind the scenes, and undocumented, and yes, in an unlawful manner. This created an awkward dilemma for CISO, what some might call a “governance crisis.” These days whistleblower laws exist in many countries, but are these sufficient to address such dilemmas?

To conclude, if you are a CEO, you don’t physically pull the levels of the dashboard, your IT admin does and remember you are often subject to the default settings of the platforms you procure or the vendors you hire.

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts