Keep data in lockdown while tackling the virus crisis

  • Posted

As businesses put in place continuity planning measures to mitigate the impact of coronavirus, they should be mindful of protecting customer and employee data when processing personal information.

Businesses are implementing contingency planning, with staff working from home and using domestic internet and personal devices to access cloud-based software and systems. This makes it more important than ever to ensure data security, as fines for data breaches will still apply.

The General Data Protection Regulation (GDPR) provides strict operating boundaries for businesses processing personally identifiable information about individuals (whether they are employees, clients or prospective clients) with a statutory obligation to notify the regulator of any breach which places an individual’s personal information at risk. It also gives wide ranging power to the UK’s data regulator, the Information Commissioner’s Office (ICO), which can impose high penalties for serious breaches.

Whilst data protection law doesn’t stand in the way of homeworking, or the use of personal devices, it demands even greater attention to security measures.

Human error is often the cause of data breaches and without the availability of direct supervision and the limited opportunity to consult colleagues, these may be more likely to happen. There are reports of a steep rise in attempted cyber fraud, with many more phishing emails, malware and social engineering incidents where fraudsters dupe staff into revealing information or making money transfers.

Another major threat to data security during the crisis is the handling of information on staff and visitors who have travelled to high risk areas, and their symptoms, test results and records of when self-isolation has taken place. This is personal data protected by GDPR and where it concerns health, it may be considered special category data under Article 9 of GDPR which requires special security measures.  Such information should be collected and used only when absolutely necessary in managing risk, and where there is a legal basis to do so, and it should not be retained unless essential, such as for an insurance claim. Ideally, the management and sharing of information should be set out in an existing policy.

The ICO has published advice to help organisations in facing up to the data management challenge and whilst they say they will be pragmatic about matters such as speed of response to information requests during the crisis, there is no suggestion that they will accept reduced standards of data security.

Organisations may struggle to keep pace in this fast-changing environment, it’s important to be vigilant when it comes to data protection. If a breach occurs and data is compromised, it will be treated as a serious issue. The ICO has the power to impose fines of up to €20m or 4% of total worldwide turnover and the damage to corporate reputation can be immense.