Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
Bedrock Managed Service
Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Partners
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Careers
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Blogs
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
7 July 2020

How does COVID-19 impact data protection compliance

There is no ordinary anymore. COVID-19 has changed how people work, exposing organisations’ confidential data to a variety of attacks. But data protection best practice hasn’t changed—only become more important.

Crisis equals opportunity to cyber criminals. While remote working keeps businesses going in tough times, subpar home security is likely to be the weakest link in the chain.

So, how can organisations mitigate this risk?

Quick best practice refresher

Now more than ever it’s essential to get the basics right.

Firstly, ensure corporate security policies are applied to all organisation-owned devices. Secondly, ensure your colleagues adopt best-practice behaviours. These include complex and frequently updated passwords, use of VPN, regular software and anti-virus updates, patching, etc. Remote workers should also secure their home wireless networks by changing default router passwords; an easy target for opportunists.

Also, watch out for phishing. Scams have grown dramatically during lockdown. We find a mixture of formal training and informal conversations is most effective to help employees identify the telltale signs and avoid being sucked in.

 

How to collect employee data compliantly

Businesses need to know how their employees are coping with remote working, as well as what they’re up to. However, the benefits of collecting employee data must always be weighed against the data privacy of the individuals concerned.

Activity monitoring: When monitoring employee activity, you must always outline a clear and legitimate purpose and communicate it to all employees. In some cases this would be considered a high-risk processing activity, which requires a Data Protection Impact Assessment (DPIA) to be carried out and formally signed off. The goal is to design the processing activity around security while minimising data privacy implications. If the process is based on consent, this must must be freely and specifically given.

Surveys: Surveys can help organisations understand the key issues employees are facing during the crisis and develop measures to improve their productivity and wellbeing. They don’t give organisations carte blanche, though. The purpose for collecting the data must align with one of the six approved purposes highlighted in the General Data Protection Regulation (GDPR). All data collected must be clearly defined and transparent to the individuals supplying the information. Any sensitive data, such as an employee’s health or medical condition, may be useful for informational purposes; however, greater security and justification is needed for this higher risk data.

Managing the risk from within

The pandemic has unfortunately seen thousands of remote workers furloughed or made redundant. Some of them may feel aggrieved. Some may just be careless with company property. If your business has been forced to let people go, you could be at higher risk of deliberate or inadvertent data breaches.

What sensitive data can they access? Could it be on their desktops? Can you remove their access? Resolve these blind spots where possible before implementing any redundancies or furloughs. Also, expect a rise in data subject requests, which require organisations to provide or remove data associated to that individual.

Conclusion—don’t wait for your security to be tested

COVID-19 has dramatically shifted many organisations’ risk profiles but data protection best practice remains unchanged. While the virus may be indiscriminate hackers still prey on weak links. Organisations must double down on business-as-usual security while anticipating and mitigating the risks of remote working, furloughs and redundancies. Lockdown doesn’t have to mean your security is easier to unlock.