COVID-19 – a change and challenge for IT

Analysis

GDPR: How to make your business more resilient against data protection breaches in light of the COVID-19 crisis?

Here are some of the most important GDPR-related challenges with respect to working remotely during this pandemic, with a few practical ways to handle them cost-effectively.

March 2020

The fight against the COVID-19 epidemic caused a vast majority of entrepreneurs to introduce various forms of remote work, at least to some degree. Striving to limit the employees’ presence at offices involves implementing remote work mechanisms for various groups of employees. If such mechanisms have not been in place yet, the sudden “mass exodus” home and (personal) data protection risks may come as something for which an organisation is unprepared, especially with respect to (personal) data protection risks. Threats arising from the use of new technologies in remote work are aplenty. Reasonable concerns about financial liquidity make organisations forego investing in security and sideline personal data protection.

Personal data protection during remote work – risk areas

First and foremost, in accordance with GDPR, a personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Therefore, such a breach occurs not only when information is ‘leaked’ and obtained by unauthorised parties (e.g. due to a hacker attack), but also when access to data is lost, either through losing documents or damaging data carriers (such as corporate USB sticks). 

What remote work circumstances then make organisations more vulnerable to such threats, and constitute potential data security gaps? Indubitably, these include:

a) with respect to IT security, and from the perspective of the employee:

  • violating the employer’s guidelines on processing, storing or sending information, using inadequately secured private or mobile devices (with no antivirus software, out-of-date operating system software and applications, no encryption solutions, etc.) or using an unsecured Wi-Fi network (e.g. with no strong password);
  • using tools that do not ensure adequate personal data protection (such as popular free instant messengers available on the Internet) or using social media platforms for business purposes (unless such used is approved);
  • falling prey to information chaos with respect to combating SARS-CoV-2, which makes employees more vulnerable to i.a. phishing attacks;
  • not using multi-factor authentication for VPN and other corporate solutions (O365, OWA, etc.) at Internet-level visibility;
  • having no back-up plan or alternative communication and work scenarios in the event that basic remote work resources (such as the VPN or communication platform) become unavailable (e.g. due to overload);

b) with respect to physically securing data:

  • transferring documents and data carriers (e.g. from the office to home);
  • not adapting space at home for remote work purposes, making it possible to damage equipment or have sensitive documents stolen;

c) with respect to the organisation:

  • having no fundamental business continuity measures in place and having no back-up equipment (in the event of power outage, device failure, or such banal problems as malfunctioning phones or headphones);
  • experiencing a potentially hindered access to people providing support on data protection (IT, DPO, Compliance Officer, etc.);
  • the employees having low awareness of threats related to personal data protection, especially when awareness-raising training sessions and initiatives were previously focused on risks present in normal work.

The threats as mentioned above are aplenty. The means to prevent them, however, do not have to be complex or costly. It is worth taking a look at the most important solutions.

How to counteract threats?

Remote work procedure

If an organisation does not have personal data protection procedures in place for remote work, it is high time it should develop and implement them. In such cases, these will be minimum requirements that address the needs and objectives set out by the command centre. With standard business operations resumed, organisation should supplement them with additional rules.

Minimum security requirements

If remote work involves employees using their own devices, it is worth updating them on basic information handling principles, and specifying minimum security requirements for devices and networks they use.

No free tools

Free tools such an e-mail in-box or popular instant messengers do not provide for an adequate level of data protection, and are usually not intended for business purposes. The employer should recommend approved communication channels (messengers, platforms, etc.).

Education and awareness

It is best to raise awareness and provide training before the crisis situation occurs. However, once we find ourselves in an emergency, it is worth intertwining information on personal data protection threats into the well-established crisis communication channel. For example, one can make employees aware that they can be particularly vulnerable to phishing attacks in the coming days, involving clickable information on coronavirus (scammers used spread maps for this purpose). They should also know what they should do in such an event (e.g. immediately inform IT).

Surveillance considerations

Employers should be cautious, as implementing new personal data security solutions might involve having to satisfy requirements regarding employee surveillance. In such cases, employers should inform their employees of the purpose and scope of such solutions, and the manner in which they are used, in the fashion specified in the Labour Code. Alternatively, they may do so in the work regulations, if such regulations must be adopted. 

Anna Skuza - Attorney-at-Law, Senior Managing Associate, Deloitte Legal Poland

In case of breach...

What must be done in the event of a breach, where, for example, the employee loses the documents they carry, the network falls prey to a hacker attack, or a power outage causes personal data to be lost? First and foremost, it might be necessary to report the breach to the President of the Personal Data Protection Office within 72 hours of the breach being identified. The report should, among other things, describe the nature of the violation and its potential consequences. For this, efficient communication with employees is paramount to properly assess the breach-related risks, and then to provide the authority with all information necessary. In some cases, it might also be necessary to notify data subjects whose data have been breached.

Importantly, if the authorities decide to carry out an inspection in the company due to the data protection breach, all preventive actions previously undertaken may serve as an argument that the controller did implement the technical and organisational measures necessary to protect personal data. This could translate into a reduction of the potential fine.

- Jakub Kowal, Attorney-at-Law, Senior Associate, Deloitte Legal

Authorities

Ultimately, it is worth remembering that the websites of both Personal Data Protection Office and the Polish Financial Supervision Authority feature useful manuals on counteracting data protection threats, including guidelines on personal data. It is also a good practice to follow information and announcements published by those authorities, and implement their recommendations on an ongoing basis.

This piece has been originally developed by Deloitte Legal Poland. 

Did you find this useful?