GDPR: How to strengthen your business against data breaches in the era of COVID-19
We present the most important challenges related to GDPR as part of remote work in the age of pandemics, as well as practical ways to deal with them without the need for entrepreneurs to incur significant costs.
The fight against the COVID-19 epidemic meant that the vast majority of entrepreneurs introduced - at least in part - various forms of remote work. Striving to limit the presence of employees in offices is associated with the implementation of work mechanisms from the place of residence for various groups of employees. However, if the enterprise did not have a remote work culture before, a sudden "exodus" from the offices may find the organization and its employees unprepared for data protection risks, including personal data.Threats flowing, among others there is a lot to be seen from the use of new technologies in remote work, and understandable fears related to the threatened financial liquidity of many enterprises do not encourage investment in security and postpone the protection of personal data.
Personal data protection during remote work - danger areas
First of all, it should be reminded that, according to the GDPR, a personal data breach is any breach of security that leads to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed. Therefore, such a violation will not only be a situation in which data "leak", i.e. fall into the wrong hands (e.g. as a result of a hacker attack), but also e.g. loss of access to data due to loss of documents or damage to a data carrier (e.g. work stick 'and).
So what circumstances related to remote work increase the organization's vulnerability to the above threats and constitute potential data security vulnerabilities? These undoubtedly include:
a) in the aspect of IT security - from the employee's perspective:
- acting contrary to the employer's guidelines regarding the processing, storage and transmission of information, the use of unprotected private and mobile devices, respectively (e.g. no anti-virus, non-updated system software and applications, no encryption of resources, etc.) and Wi-Fi networks ( e.g. no strong network password)
- using improper tools that do not ensure adequate protection of personal data (e.g. popular free instant messengers) or using social networks for company communications (unless they have been previously approved for this purpose);
- information chaos regarding issues related to combating SARS-CoV-2 virus, increasing susceptibility to e.g. phishing;
- failure to provide multi-factor authentication in VPN services or other corporate services (O365, OWA, etc.) available (visible) from the Internet;
- no emergency plan / alternative communication and work scenarios in the event of unavailability (e.g. as a result of congestion) of basic remote work services (VPN, communication platform, etc.)
b) in the aspect of physical data security:
- moving documents and information carriers from place to place (e.g. from the office to the home);
- threats resulting from non-adaptation of home space to work, such as the possibility of destruction or theft of sensitive documents.
c) in organizational aspect:
- lack of basic means of business continuity and spare devices (e.g. lack of electricity, equipment failure, but also a prosaic failure of a mobile phone or headphones);
- potentially difficult access to persons providing support in the protection of information (IT Department, data protection officer, compliance officer etc.); and
- low level of employees' knowledge of the risks related to the protection of personal data, in particular in situations where previous training and awareness campaigns focused on threats occurring in the normal course of work.
Threats, as already mentioned, there are many, but ways to counter them do not have to be complicated and expensive. It is worth looking at the most important of them.
Ways to counteract threats
Remote work procedure for employees
If your organization has not yet adopted procedures for the protection of personal data as part of remote work, this is a good time to develop and implement such rules at this time. In this case, they will be the basic guidelines adopted to address the needs and goals set by the crisis staff. They will be supplemented when normal business operations are restored.
Minimal security requirements
If remote work involves the use of their own devices by employees, it is worth updating employees' knowledge of the basic principles of dealing with information, as well as specifying / recalling the minimum security requirements for the devices and networks they use.
Eliminate the use of free tools
Free tools, such as e-mail or popular messengers, do not provide an adequate level of data protection and are usually not intended for business use. The employer should instruct employees which communication channels (messengers, platforms, etc.) they accept for this purpose.
Education and awareness raising
Awareness and training is best done before a crisis, but if you are already in it, it is worth to include information about the risks to personal data in the established channel of crisis communication with employees. For example, it is worth making employees aware that in the coming days they may be particularly vulnerable to, for example, a phishing attack hidden under "clickable" information about coronavirus (scammers used for this purpose, e.g. SARS-CoV-2 spread maps), and what they should do in in this case (e.g. immediately inform the IT Department).
When the violation has already occurred
What to do, however, if the violation has already occurred, e.g. an employee lost the transferred documents, the network fell victim to a hacker attack or a power failure caused that personal data was lost? First of all, it should be remembered that it may be necessary to report the violation to the President of the Office for Personal Data Protection within 72 hours of finding the violation. The notification should contain, among others description of the nature of the infringement and its possible consequences. To this end, efficient communication with the employee will be necessary to properly assess the risk associated with the violation, and then provide the authority with all required information. In some cases, it may also be necessary to notify those affected.