Key Insights Blog

Read the latest insights from our experts on GRC and risk management

7 July 2020

How does COVID-19 impact data protection compliance

There is no ordinary anymore. COVID-19 has changed how people work, exposing organisations’ confidential data to a variety of attacks. But data protection best practice hasn’t changed—only become more important.

Crisis equals opportunity to cyber criminals. While remote working keeps businesses going in tough times, subpar home security is likely to be the weakest link in the chain.

So, how can organisations mitigate this risk?

Quick best practice refresher

Now more than ever it’s essential to get the basics right.

Firstly, ensure corporate security policies are applied to all organisation-owned devices. Secondly, ensure your colleagues adopt best-practice behaviours. These include complex and frequently updated passwords, use of VPN, regular software and anti-virus updates, patching, etc. Remote workers should also secure their home wireless networks by changing default router passwords; an easy target for opportunists.

Also, watch out for phishing. Scams have grown dramatically during lockdown. We find a mixture of formal training and informal conversations is most effective to help employees identify the telltale signs and avoid being sucked in.

 

How to collect employee data compliantly

Businesses need to know how their employees are coping with remote working, as well as what they’re up to. However, the benefits of collecting employee data must always be weighed against the data privacy of the individuals concerned.

Activity monitoring: When monitoring employee activity, you must always outline a clear and legitimate purpose and communicate it to all employees. In some cases this would be considered a high-risk processing activity, which requires a Data Protection Impact Assessment (DPIA) to be carried out and formally signed off. The goal is to design the processing activity around security while minimising data privacy implications. If the process is based on consent, this must must be freely and specifically given.

Surveys: Surveys can help organisations understand the key issues employees are facing during the crisis and develop measures to improve their productivity and wellbeing. They don’t give organisations carte blanche, though. The purpose for collecting the data must align with one of the six approved purposes highlighted in the General Data Protection Regulation (GDPR). All data collected must be clearly defined and transparent to the individuals supplying the information. Any sensitive data, such as an employee’s health or medical condition, may be useful for informational purposes; however, greater security and justification is needed for this higher risk data.

Managing the risk from within

The pandemic has unfortunately seen thousands of remote workers furloughed or made redundant. Some of them may feel aggrieved. Some may just be careless with company property. If your business has been forced to let people go, you could be at higher risk of deliberate or inadvertent data breaches.

What sensitive data can they access? Could it be on their desktops? Can you remove their access? Resolve these blind spots where possible before implementing any redundancies or furloughs. Also, expect a rise in data subject requests, which require organisations to provide or remove data associated to that individual.

Conclusion—don’t wait for your security to be tested

COVID-19 has dramatically shifted many organisations’ risk profiles but data protection best practice remains unchanged. While the virus may be indiscriminate hackers still prey on weak links. Organisations must double down on business-as-usual security while anticipating and mitigating the risks of remote working, furloughs and redundancies. Lockdown doesn’t have to mean your security is easier to unlock.