Data privacy in the age of coronavirus
The new realities of the novel coronavirus (COVID-19) pandemic have forced businesses to redefine the way they operate, and these sweeping changes could have a serious impact on data privacy readiness.
In a recent survey, 85 percent of companies reported that at least 50 percent of their employees are currently working remotely due to stay-at-home orders. Going remote often requires a number of technology solutions and tools, including video conferencing and increased reliance on email, cloud file storage, file sharing, chat and communication platforms, and remote desktop applications. Often, these tools are used to share and store personal data, plus other types of information for which companies have legal and contractual obligations to protect. Use of video conferencing for internal and external meetings has skyrocketed, with Zoom reporting an increase in daily users from 10 million in December 2019 to more than 200 million in March 2020. Overburdened call centers are turning to AI-based solutions to handle surges in call volumes while they manage the limitations of a remote workforce. Remote work tools may now have access to personal information that goes beyond what is stated in privacy policies and consent notices that were updated even a few months ago.
These operational and system changes make every company with a remote work force a de facto technology company and are forcing digital transformation. Over a period of a couple of weeks, businesses had to implement changes that would have required months to plan and execute under normal circumstances. In the rush to adapt to the demands of the pandemic, it can be easy to overlook the possible implications for data privacy readiness. Employees are scrambling to perform their tasks in the most efficient way possible, thus potentially inadvertently violating some of the basic tenets of data protection. For example, employees working from home may be using unsecured Wi-Fi connections or sharing computers with other family members. Use of unvetted platforms and insufficiently protected cloud storage could expose personal data to possible breaches like unauthorized access to personal data. Automation processes may be implemented without assessing the impact on data protection, especially in call centers. Any number of operational changes can act as triggers to throw your previous state of data privacy readiness into non-compliance.
While priorities may have shifted in these times of change and uncertainty, businesses must proactively maintain their data privacy readiness and continue to align with applicable regulations as well as the expectations of individuals whose personal data they handle.
Regulations are not going away, and security threats are escalating
Regulators of both GDPR and CCPA have made it clear that data privacy regulations are not going away in light of response to the pandemic, nor are they being put on hold. Despite pressure from industry lobbyists, California Attorney General Xavier Becerra is moving ahead with plans to begin enforcement of CCPA on July 1, 2020. For organizations covered under GDPR, the European Data Protection Board (EDPB) has emphasized that “even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.”
At the same time, a spike in cybercriminal activity calls for heightened vigilance in protecting personal data. In a recent survey, more than one-third of senior technology executives reported an increase in cybersecurity risks since more employees began working from home. One study reports a 667 percent increase in email phishing activity between January and late March 2020.
Even as businesses scramble to face the challenges of the current environment, this is no time to neglect data privacy responsibilities. Fortunately, those who had prepared for data privacy requirements prior to the pandemic can restore readiness by evaluating their current situation and addressing any gaps that may have arisen.
Update data flow diagrams
The changes over the last few weeks almost certainly have had some effect on your organization’s data flows. By revisiting and updating those flows, you can capture the current lifecycle of personal data as it flows into, throughout, and outside your organization. You will also want to revisit system diagrams to include any new external vendors. Ensure that any new technologies being used for remote work have been configured with data protection in mind, and remember to update documentation of your data processing activities. Then use these revised materials to identify any gaps between the current state and what applicable data privacy laws require.
Update policies and procedures
After re-mapping data flows, updating system diagrams as necessary, and making sure any new data processing activities are accurately documented, you will want to update your organizational policies and procedures as necessary to ensure personal data is handled according to applicable regulations at every phase of the data lifecycle. It’s also a good idea to re-visit your organization’s remote work policies to reinforce data privacy measures while employees work from home. Updates to existing policies might include, for example,
- • Using secure virtual private networks (VPNs) when logging in over home Wi-Fi
- • Not using shared computers for work
- • Securing paper documents and handwritten notes that may contain personal data
- • Guidelines on recording video conferences and storing and sharing call recordings
- • Implementing multi-factor authentication if you have not already done so
- • Tightening password protocols
- • Ongoing communication with your employees to keep data protection top of mind
Revisit BYOD policies
If employees are using personal devices — including personal computers, smartphones, and/or tablets — while they work from home, make sure that your BYOD policies are up to date with the latest security measures and that all employees understand their responsibilities.
Evaluate any new technologies and vendors
If your organization is using any new technologies to help facilitate remote work and/or working with any new vendors that impact personal data, make sure these have been vetted for privacy policies and practice appropriate security measures. Review any new third-party vendor or service provider contracts to make sure that they meet the necessary data protection standards established by your privacy program.
Maintain data governance practices
Data governance committees should continue to meet according to their usual schedule (or even more frequently, if possible) and to carry out their regular duties. Directors and Officers need to monitor data protection compliance programs.
We all look forward to the day when the coronavirus pandemic is in the rearview mirror and we can return to business as usual. Until that day comes, it’s vital that businesses keep their commitments to protecting data privacy and aligning with the regulations that apply to them.
Questions about how to maintain data privacy
readiness amid coronavirus-related disruptions?
We can help.
General Manager of Data Privacy Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, Information Management, the American Bar Association, and other national and international organizations.