The state of play today
Mike Tyson famously once said, “Everyone has a plan until they get punched in the face”, and it’s fair to say that every business throughout the globe is currently reeling from the historic haymaker delivered by COVID-19. In the UK, all non-essential business premises have been asked to close and consequently full-time homeworking has been enforced upon many of us as “the new normal”.
Many businesses have gleefully informed the world that they adopted disaster-proof business continuity plans for just such an occasion years ago, however the palpable sense of an online network creaking at the seams and the absence of such Nostradamus-like qualities in the remaining business world would suggest that everyone will be required to make adjustments as we navigate this difficult time.
With the toothpaste well and truly out of the tube, we’ve put together some of the key actions relating to data protection that businesses can undertake to start their adjustment to a home working structure, manage some of the issues that will spring up over the forthcoming weeks or just bench mark against their existing business continuity plans. These actions are intended to compliment the remote working tips we’ve been publishing to help individual employees working from home.
Know the risks
The Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation. (DPA) requires all controllers of personal dataInformation which relates to an identified or identifiable natural person. to undertake a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA) prior to any processing activity which is likely to result in a high risk to data subject’s rights and freedoms. In our “business as usual lives” these would often be triggered by a proposed change in processing systems and new technology, but they may be a worthwhile (or possibly mandatory) tool for assessing the potential impact of transitioning from an office-based to home working environment.
Begin by working with key stakeholders to audit, identify and minimize any risks that the alteration has, or may possibly cause. This may be after the fact due to the nature of the transition but should be conducted regardless. If the transition was conducted in haste, start to look for and address weaknesses retrospectively.
Investigating and recording these risks will go some way to fulfilling your ongoing accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. obligations, but also provide an important framework to solving any current issues and nipping any future problems in the bud.
Adapt existing frameworks
Despite the working world being turned on its head, there’s no need to give yourself more homework than necessary. The sensible approach is to adjust existing policies to account for business activities being conducted outside of the physical office. Consider the following opportunities to leverage your current policies and practices, such as:
1. Refreshing your breach detection and reporting procedureAn approved and established way of completing a certain task. to account for the risk of data moving offsite and line managers/lines of reporting being remote from individual workers. As part of this you should ensure all your staff know who the breach responseAn organisation's procedure or approach for recording, investigating, containing and mitigating a personal data breach. team are and how they can be contacted in such an emergency. Test the processA series of actions or steps taken in order to achieve a particular end. for detection and reporting of potential breaches and build any weaknesses into your DPIA procedures;
2. Refresh staff awareness of Data Protection responsibilities and policies. If possible, try to tailor the policies to the current way of working and make them as role specific as practically possible. Along with an increased wave of cyber security threats from a freshly enthused group of nefarious individuals looking to leverage the current crisis, there will also be an increase in other, less obvious sources.Employees should be aware of potential breaches from having children, partners and housemates at home more often during the lock down. Leaving data accidentally exposed is one of the main causes of breaches. Despite the present difficulties, duties of confidentiality and data protection still remain and employees should be reminded accordingly; and
3. Use “nudge” based prompts over the forthcoming weeks to avoid slack practices becoming Business As Usual (BAU).No employee has ever begged for a lecture on their data protection responsibilities and that certainly hasn’t changed with the added pressure of working on the kitchen table, home schooling kids and trying to complete a Netflix series in a single sitting. However, much like we were all such diligent drivers the day we passed our test, bad habits can form and forgetting our obligations and best practices can occur quickly. Using smaller “bite-sized” chunks of information to update and remind employees how to keep business (and their own) data safe is indispensable when trying to maintain engagement over distance. The DPO Centre has compiled some of the common tips dispensed to aid employees working remotely.
Implement any controls identified in audit/DPIA process
Nobody is perfect and even the outfits with the tightest data protection controls will need to assess how their practices have stood up under current circumstances. If you have identified absent controls (such as policies, contracts with third parties or technical system improvements) in your audit (see “Know the risks” above), now is the time to develop and implement.
We all hope that things will return to normal as soon as possible but hoping for the best once you’ve identified the risk is not good business practice and certainly not compliant with your accountability obligations. It’s common to require updates or complete drafting of Bring Your Own Device (BYOD) policies if employees use their own equipment for work purposes, as well as other key documents such as data protection, information management or government policies. Likewise, there are still plenty of high-quality IT and information security support services able to remotely assist with technical improvements to reduce any risks you’ve identified, or require assistance identifying.
Update registers
It’s not one of the most gratifying data protection tasks, but it’s likely that transitioning to a completely work from home structure is going to affect where and how personal data is processed within the organisation. Accordingly, the Record of Processing Activity will need to be updated, as well as any other asset registers or logs which are used to document this.
Review your risks
Things may continue as they are for a while and it’s unlikely that any transition back to BAU will be completed quickly and without further upheaval. If you don’t have one in place already, build an information governance team and risk register to monitor the ongoing threats to the organization. Ensure these risks are reviewed regularly and updated in light of any incidents or planning for a transition away from working from home.
Record your actions
All of the work undertaken to manage the risks presenting themselves currently will not be in vain if you manage to accurately record and learn from your actions. All organisations functioning today are doing so in a “business continuity” manner by adjusting to demands which are far outside of the BAU we plan for in our short- and long-term strategies.
If you didn’t have a fully formed Business Continuity Plan (BCP) prior to now, then this will provide a strong framework from which to build and improve. If you do already have a BCP, then continual benchmarking and assessment will be key to utilizing the benefits of your preparation and adjusting to any unforeseen demands, which are all too common at present.
Summary
The Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. have agreed to take a pragmatic approach to enforcement during the current pandemic and insist that data protection should not be a barrier to business during these times. However, they will continue to monitor the actions of organisations and ensure they continue to uphold their obligations under the DPA 2018. The actions discussed above are designed to aid with these obligations and, importantly all of these measures will assist with the ongoing duties to secure and protect personal data, which continue to be upon us regardless of the conditions.
Fill in your details below and we’ll get back to you as soon as possible