With part of the workforce now returning to the office, and part of the workforce remaining at home, this is the perfect time to revisit data protection compliance strategy. Having adapted products, processes, services, facilities and IT systems in response to Coronavirus (COVID-19), businesses should now refocus on their legal and business fundamentals as they move towards returning to the office. Compliance policies should be updated, Brexit contingency plans reinvigorated, and upcoming legal and regulatory changes anticipated. While taking these steps, businesses should bear in mind a number of key data protection and IT/cybersecurity fundamentals, and take the opportunities afforded by the return to work period to kick-start new initiatives.
PROMOTE RECORD KEEPING AND ACCOUNTABILITY
Two key components of the General Data Protection Regulation (GDPR) are record keeping and data protection impact assessments (DPIAs). In any investigation, the relevant Data Protection Authority will first want to see comprehensive records. Whilst many of the Data Protection Authorities permitted a lower standard of data protection compliance during the COVID-19 pandemic, along with a regime of reduced enforcement, this will not be considered an excuse for a lack of record keeping. Even if a company has been enjoying a lower level of data protection compliance as a result of COVID-19, it will still need to justify that lower level. A DPIA is a great tool for helping to determine and to document that lower standard of compliance. Its inherent process of record keeping allows a company to effectively track the areas of relaxed compliance so that they can be pulled back up to an acceptable standard post-pandemic.
As a note of caution, however, although regulators have adopted a lower data compliance standard, a court may not adopt a similar approach in any privacy law suit against the company. In this situation, a DPIA would provide helpful evidence to show that due consideration was given to the company’s responsibilities and to data subject’s rights.
UPDATE DATA PROTECTION NOTICES AND POLICIES
Data protection notices and policies should be reviewed regularly to ensure continuing compliance with laws and evolving regulatory guidance. Since the entry into force of the GDPR, a substantial amount of regulatory guidance concerning the pandemic and remote working has been released at both EU and Member State levels. With the change in work practices resulting from the pandemic, many data protection notices and polices should now be updated.
ENSURE COMPLIANCE OF INTERNATIONAL DATA TRANSFER STRATEGIES (EU-UK DATA FLOWS)
In the absence of an EU Commission adequacy decision, after the end of the Brexit transition period, on 31 December 2020, businesses must ensure that all EU-UK data flows continue to comply with applicable data protection requirements. A strategy will be needed, in both the short and long term, to manage international data flows. Business should consider whether or not standard contractual clauses offer sufficient coverage in the long term, or whether binding corporate rules would offer the most robust long-term solution. Now is a good time to get ahead of this issue. See page 11 for an overview of the additional impact that Schrems II will have on international data transfers.
BEWARE AN INCREASE IN SOCIAL ENGINEERING, RANSOMWARE AND OTHER ACTIVITIES
The COVID-19 pandemic brought with it an expected flood of increased hacking activity. With employees moving to remote working, there are now many more ways in which hackers can gain access to company systems. These range from an increase in phishing emails on COVID-19 related topics, fake approaches by the firm’s IT “help desk”, third party “support” to help fix home internet or router problems, or technical exploits arising from insecure home WiFi or routers. Businesses should determine whether or not their IT security policy suites appropriately cover continuing remote working. Typically, it may be necessary to update remote working policies and “bring your own device” policies, and to make adjustments to breach response policies. Companies should also explore whether or not heightened IT system monitoring could be enabled for employees working from home. All these steps will require the updating of appropriate policies and notices.
UPDATE CYBER INCIDENCE RESPONSE PLANS
This greater likelihood of breaches means that it is important to have in place an effective cyber incidence or breach response plan. These plans should be adapted to take into account increased remote working and the need for remote detection. Third parties who will assist in the response, such as cyber investigators, Payment Card Industry Forensic Investigators, lawyers, insurers and PR companies should be identified and retained in such a way that they can get to work quickly. Timescales for data breach reporting to regulators and affected individuals should be understood and taken into consideration, as this can now be as low as four hours for companies subject to the Payment Services Directive No. 2. Finally, with the greater likelihood of follow-on class actions or other litigation, care should be taken that the correct rules are followed with regard to document preservation and legal and litigation privilege, so that certain reports can be protected from disclosure to third parties.
REVIEW THIRD-PARTY COMMERCIAL CONTRACTS
Businesses should review IT supply and IT outsourcing agreements to ensure that these contain the mandatory language prescribed by Article 28 GDPR. Failure to include this language amounts to a breach of the GDPR and exposes businesses to unnecessary commercial risk. Brexit will also have an impact on IT agreements. To mitigate risk, companies should review indemnities providing protection for high-risk IT liabilities, such as GDPR, to ensure they are effective for both UK and EU GDPR risks.