Coronavirus: maintaining GDPR compliance during the COVID-19 pandemic

Useful resources from the IT Governance blog…:

The measures we all must take to slow the spread of COVID-19 will inevitably cause disruption for most organisations. Reducing the impact on your business is paramount.

One area you might not have considered is how to maintain compliance with the GDPR (General Data Protection Regulation) and UK DPA (Data Protection Act) 2018.

If you’ve introduced remote working and/or find yourself understaffed as a result of illness, this will be especially challenging.

ICO guidance

The ICO (Information Commissioner’s Office) has published a handy guide to what you need to know about data protection during the pandemic.

On the subject of homeworking, it says:

Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.

But what does this mean in practical terms?

Risk-based approach

The GDPR calls for appropriate technical and organisational measures to safeguard personal data. Determining what is appropriate requires regular risk assessments, but you might not have had time to properly assess the impact and likelihood of homeworking risks before sending your staff home.

Here are some areas you should consider:

  • Unsecured networks

Home workers not connected to the secure corporate network will instead use their own home network. Features such as filtering, firewalls and encryption might not be available, and where they are available will be beyond your control.

If staff haven’t changed the default passwords on their routers, they leave themselves open to eavesdropping and man-in-the-middle attacks unless they use a VPN (virtual private network).

  • BYOD

You might not have enough laptops and phones to issue your staff with work devices at short notice, so you’ll probably require home workers to use their own equipment – known as BYOD (bring your own device).

Again, your main problem with BYOD is the lack of control and the increased risk of data breaches. For instance, if staff visit sites or download apps that you would normally blacklist, their machines might become infected with malware, putting information at risk.

You will also have no control over patch management and ensuring security vulnerabilities are fixed.

If you need to draw up a BYOD policy in a hurry, you can use our BYOD Policy Toolkit – a customisable policy template, Acceptable Use Agreement and implementation guidance that will help you structure, focus and document your organisation’s approach to BYOD.

  • Cloud services

Ensuring your workforce can continue to collaborate will mean you’re at the mercy of other platforms. As more and more people move to homeworking, the strain felt in the Cloud will be all the greater.

While service providers are doing their best to contend with a sudden leap in users, many will be overwhelmed and suffer outages. Even platforms such as Microsoft’s Teams have seen disruption caused by millions of new users.

  • The human factor

People are always credited as the weakest link in any cyber security system, which is why the vast majority of malware – as much as 99% by Proofpoint’s estimate – is delivered via phishing campaigns.

Phishing attacks exploiting the coronavirus outbreak have seen a huge increase. Read more about COVID-19 phishing scams in our blog Hackers exploit coronavirus fears as cyber attacks soar >>

It’s a sad truth that attackers will continue to exploit the pandemic – and can do so even if self-isolating – so it’s critical not to let cyber security slide.

Meeting your other GDPR obligations

Beyond the need to ensure you have appropriate technical and organisational security measures in place, as a data controller you have to ensure you can facilitate data subjects’ rights. Meeting the requirements of DSARs (data subject access requests), for instance, might be lower on your list of priorities at the moment. That’s entirely understandable.

If you do require extra help meeting your obligations, we still have everything you need, available remotely.

However, if your resources are simply too stretched, don’t worry. The ICO has stated that:

We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.

We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.

[…]

Original article here