GDPR Guidelines For Businesses During Coronavirus COVID-19
By now you’ll be very aware of the number of regulations that have been put into place to slow the spread of Covid-19. These measures, while necessary, have caused disruptions to businesses across the world. As such, businesses are having to do all they can to minimise the impact this is having on their future and try to find new ways to work to ensure that the company can keep going despite the ongoing uncertainty.
Initially, many would have been concerned with setting up a remote workforce and ensuring staff had the tools they needed to continue working from home, followed by getting functions in place to enable your business to continue providing their goods or services to their customers remotely. But one area you may not have considered is how to remain GDPR compliant amongst all of this.
The new way of working during Covid-19 has thrown up lots of aspects that need to be considered. For example, more staff are now working from home perhaps on unsecured servers, more data is being shared online and unfortunately, an influx of only hackers and scammers are trying to take advantage of this pandemic.
So to help make things a little easier, we’ve put together some GDPR guidelines – with some guidance from the Information Commissioner’s Office (ICO) – for businesses to consider during Covid-19.
Help staff who are working from home
One of the biggest challenges facing businesses is having their staff working from home. This is because there is a higher security risk and more potential for things to go wrong. Usually, companies will run the appropriate risk assessments and put security measures in place to reduce the risk of a data breach and ensure their systems are GDPR compliant. However, it’s unlikely they will have been able to do this for the staff working from home, especially given how quickly they had to prepare their teams to go remote. As such, you need to consider the following:
Generally, most businesses will have a secure network in the office to protect sensitive data. Unfortunately, not everyone will have this at their home. This also means that features such as firewall encryption might not be available and weak wi-fi passwords could leave employees and the data they hold vulnerable to man-in-the-middle attacks. One solution to this problem could be setting up a virtual private network (VPN) and allowing staff to connect this. That said, one of the key concerns here will be making sure that everyone knows how to join this network without the usual support of a tech team.
Your business may not be in a position where it is able to provide all staff with work devices such as laptops and phones. This could mean that was working from home they are using their own devices and in some cases, this could even be shared family devices. This crossover between work and personal technology, though not against GDPR, comes with a few problems. There is a lack of control on the business’ part, plus staff maybe using sites or apps on their machines that would not have been allowed on work devices. And these could potentially lead to them to becoming infected with malware.
What’s more, having these devices at home can mean sensitive data is accessible to prying eyes. To combat this, try to encourage staff were possible to keep work and personal devices separate and ensure everything is saved securely and closed down at the end of each day if they using a personal device for work purposes.
In order to continue working and keep teams connected, many businesses have had to rely on online platforms and technologies such as the Cloud. While it’s great that these technologies exist and enable businesses to continue running remotely, the surge in usage of these platforms increases the potential for outages. Trying to cope with the extra pressure on these platforms could therefore leave sensitive information vulnerable.
Reduce the room for human error
Unfortunately, employees can be one of the biggest security risks for any business. This is not usually through malicious intent, but often human error can be responsible for data breaches or cyber-attacks. In most cases, this is unsuspecting employees downloading harmful attachments or replying to phishing emails. They might also mishandle or misplace documents containing important data or use a weak password that gives hackers access to their systems.
It’s a sad reality that phishing emails and other scams are on the rise as a result of the virus, with cybercriminals trying to exploit the pandemic. And now that you cannot be there to oversee staff who are working from home, you can’t be sure how they’re handling sensitive data or if they’re following the correct procedures.
As such, could be a good idea to put together some literature explaining red flags and the top signs of a scam that they should be looking out for. It should also explain the importance of staying GDPR compliant despite being outside the office, including tips on strong password policies and how to keep sensitive information safe and secure.
Dealing with access and deletion requests
In many cases your GDPR efforts won’t have to change, for example, you should still be gaining explicit consent when collecting data or using cookies online. But another important aspect of data handling that you need to think about is access and deletion requests. It’s likely that you had systems in place for this in the office, but these may have been disrupted due to Covid-19.
If you can still ensure systems are in place to meet these requests, that’s great and should continue to do so as quickly as you can. That said, due to the circumstances being beyond our control, the ICO has said that they understand attention may be diverted away from tasks such as this, especially with many businesses doing all they can just to stay afloat. As such, they’re extending time frames for dealing with issues of GDPR and access/deletion requests.
What you must do, however, is let all your customers/clients know that this is the case. It could be useful to send out an email to those on your database just letting them know that you’re doing everything possible to keep things running smoothly, but to please forgive you for any delays on these requests.