Whilst some businesses are now in the process of re-opening offices and premises to staff and customers, for many of us there is still likely to be an extended period of working from home. As they adjust to new working patterns that are likely to become the norm for many, it is essential that businesses and organisations, together with their staff and employees, continue to maintain high standards of data protection compliance.
In these very difficult times, the last thing that a business can afford to have to deal with is the fallout from a personal data breach – this could cause yet further economic and reputational damage for the organisation that is impacted, not to mention further harm to the individuals whose data is compromised.
What are the key data protection risks presented by homeworking?
Whilst these are exceptional times, controllers and processors of personal data still have an obligation to ensure that appropriate technical and organisational security measures are in place. Controller organisations are also still required to notify personal data breaches to the relevant data protection supervisory authorities, and to affected individuals (as relevant).
Processors must notify the relevant controller without undue delay of any personal data breaches. Given the short time frame for controllers to notify relevant data protection supervisory authorities, most controllers will expect processors to notify them immediately and this may also be a contractual requirement.
- Conduct a thorough review of measures and decisions taken around the time that lock down was implemented.
- Remind your staff of their obligations regarding data protection and information security.
- Consider whether any amendments to your emergency response plan are required.
- Assess which data protection supervisory authorities you are required to notify in case of a breach.
Homeworking may result in increased data protection and security risks, particularly for organisations that are not readily set up for staff to work remotely. Increased risks could arise in a number of areas:
In response to these heightened risks, organisations should take the following steps:
- Ensure strong passwords are set for user accounts with two-factor authentication (2FA).
- Ensure that devices encrypt data on devices when at rest.
- Use mobile device management (MDM) software to set up devices with a standard configuration to enable remote locking or erasure.
- Ensure that staff know how to report problems and understand how to keep software and devices up to date and that they apply all updates promptly.
- Make sure a virtual private network (VPN) is fully patched.
- Disable removable media using MDM settings.
- Use antivirus tools where appropriate.
What should organisations be doing to mitigate these risks?
To manage the security risks of a personal data breach during these unsettled times, organisations should take measures such as:
Business continuity plans
Invoking business continuity plans to ensure ongoing availability and resilience of systems required for the business to operate and ensuring that key stakeholders can effectively communicate with each other, the business and its customers / clients.
Reminding staff of their obligations regarding data protection and information security, in particular raising awareness of the extra vigilance needed to combat hackers or malicious actors.
Ensuring that high security standards are maintained in relation to any new systems and tools that are introduced to facilitate remote working.
Keeping security measures under constant review and where necessary updated to ensure that they remain appropriate and take account of the new working environment and associated risks – this will involve carrying out an updated risk analysis, reviewing organisational policies and procedures (or putting in place new ones where these do not exist), considering new physical and technical measures and any additional security requirements that may now need to be implemented. The business should consider whether any amendments to its emergency response plan are required in light of these changes.
Data breach response plan
Having the organisation’s data breach response plan close to hand in case this needs to be invoked.
What should you do if you do suffer a data breach?
In the unfortunate event that you do suffer a personal data breach, immediate steps need to be taken to:
- Assess who the organisation is required to notify (having identified its lead regulator in advance) – if the breach has a cross-border impact, it may be necessary
to notify more than one data protection regulator (depending on the jurisdictions impacted and if the one-stop-shop mechanism applies).
- Prepare and file the necessary regulatory breach notifications.
- Prepare and send communications to affected
- Manage reputation and press communications
- Use antivirus tools where appropriate.
Under the GDPR, the following breach notification obligations apply:
If your organisation is a controller, it must notify:
- the relevant data protection supervisory authorities without undue delay, and at the latest within 72 hours after having become aware of the breach (where feasible), unless the breach is unlikely to result in a risk to individuals; and
- affected data subjects without undue delay if the breach poses a high risk to them, unless there are effective technical and organisational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialise.
If your organisation is a processor, it must notify data breaches to the controller without undue delay and assist the controller to comply with its obligations regarding data breaches (although the processor may have contractual obligations to notify the controller within set time periods).
It is important to remember that, whilst your organisation is having to grapple with new ways of working, it is “business as usual” for opportunistic hackers or malicious actors. Therefore, you need to ensure that high standards of information security and data protection are maintained – otherwise, your organisation may find itself fighting other viruses as well the coronavirus.
You can download a PDF version of this page below.