As many of us settle into what is likely to be an extended period of working from home in line with lockdown and social distancing measures introduced by the government to combat the COVID-19 pandemic, it is essential that businesses and organisations, together with their staff and employees, continue to maintain high standards of data protection compliance.
The Information Commissioner’s Office (ICO) has recently issued the following statement with regards to working from home:
“Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.”
The ICO has also published helpful guidance for businesses on coronavirus and data protection: https://ico.org.uk/for-organisations/data-protection-and-coronavirus/.
In these very difficult times, the last thing that a business can afford to have to deal with is the fallout from a personal data breach – this could cause yet further economic and reputational damage for the organisation that is impacted, not to mention further harm to the individuals whose data is compromised.
What are the key data protection risks presented by homeworking?
Whilst these are exceptional times, controllers and processors of personal data still have an obligation in relation to security by ensuring that appropriate technical and organisational security measures are in place. Controller organisations are still also required to notify personal data breaches to the relevant data protection supervisory authority(/ies), and to affected individuals (as relevant).
Homeworking may result in increased data protection and security risks, particularly for organisations that are not readily set up for staff to work remotely, including risks arising in relation to:
- hackers or malicious actors taking advantage of the current situation to release phishing scams, viruses, malware or ransomware knowing that an organisations’ systems may be more vulnerable;
- infrastructure security, where staff access is not managed properly using measures such as VPN / secure gateway access and dual authentication;
- the processes for transferring personal data from the office to home – e.g. staff using removable media, emailing work to personal email accounts, or printing sensitive work-related materials on unsecured personal printers); and
- use of new remote working systems, such as collaboration tools – e.g.:
- shortcuts may have been taken in relation to supplier due diligence, data processing agreements and safeguards for international data transfers, meaning that if a data breach happens supplier-side the customer organisation may not be as well protected as it could be; and
- users / clients may not have been informed that their personal data will be processed using these tools (in line with the organisation’s transparency obligations under the GDPR).
What should organisations be doing to mitigate these risks?
To manage the security risks of a personal data breach during these unsettled times, organisations should take measures such as:
- Invoking business continuity plans to ensure ongoing availability and resilience of systems required by a business to operate, and ensuring that key stakeholders can effectively communicate with each other, the business and its customers / clients;
- Reminding staff of their obligations regarding data protection and information security, in particular raising awareness of the extra vigilance needed to combat hackers or malicious actors;
- Ensuring that high security standards are maintained in relation to any new systems and tools that are introduced to facilitate remote working;
- Keeping security measures under constant review and where necessary updated to ensure that they remain appropriate and take account of the new working environment and associated risks – this will involve carrying out an updated risk analysis, reviewing organisational policies and procedures (or putting in place new ones where these do not exist), considering new physical and technical measures and any additional security requirements that may now need to be implemented; and
- Having the organisation’s data breach response plan close to hand in case this needs to be invoked.
What if you do suffer a data breach?
In the unfortunate event that you do suffer a personal data breach, immediate steps will need to be taken to:
- identify the source and cause of the data breach (which is not always straight forward) in order to contain this and prevent any further breaches;
- assess who the organisation is required to notify (having identified its lead regulator in advance) – if the breach has a cross-border impact, it may be necessary to notify more than one data protection regulator (depending on the jurisdictions impacted and if the one-stop-shop mechanism applies);
- prepare and file the necessary regulatory breach notifications;
- prepare and send communications to affected data subjects; and
- manage reputation and press communications (if necessary).
Under the GDPR, the following breach notification obligations apply:
- If your organisation is a controller, it must notify:
- the relevant data protection supervisory authority(/ies) without undue delay, and at the latest within 72 hours after having become aware of the breach (where feasible), unless the breach is unlikely to result in a risk to individuals; and
- affected data subjects without undue delay if the breach poses a high risk to them, unless there are effective technical and organisational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialise.
- If your organisation is a processor, it must notify data breaches to the controller without undue delay and assist the controller to comply with its obligations regarding data breaches (although the processor may have contractual obligations to notify the controller within set time periods).
It is important to remember that, whilst your organisation is having to grapple with new ways of working, it is “business as usual” for opportunistic hackers or malicious actors. Therefore, you will need to ensure that high standards of information security and data protection are maintained – otherwise, your organisation may find itself fighting other viruses as well the coronavirus.