The fight against the COVID-19 epidemic caused a vast majority of entrepreneurs to introduce various forms of remote work, at least to some degree. Striving to limit the employees’ presence at offices involves implementing remote work mechanisms for various groups of employees. If such mechanisms have not been in place yet, the sudden “mass exodus” home and (personal) data protection risks may come as something for which an organisation is unprepared, especially with respect to (personal) data protection risks. Threats arising from the use of new technologies in remote work are aplenty. Reasonable concerns about financial liquidity make organisations forego investing in security and sideline personal data protection.
First and foremost, in accordance with GDPR, a personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Therefore, such a breach occurs not only when information is ‘leaked’ and obtained by unauthorised parties (e.g. due to a hacker attack), but also when access to data is lost, either through losing documents or damaging data carriers (such as corporate USB sticks).
What remote work circumstances then make organisations more vulnerable to such threats, and constitute potential data security gaps? Indubitably, these include:
a) with respect to IT security, and from the perspective of the employee:
b) with respect to physically securing data:
c) with respect to the organisation:
The threats as mentioned above are aplenty. The means to prevent them, however, do not have to be complex or costly. It is worth taking a look at the most important solutions.
If an organisation does not have personal data protection procedures in place for remote work, it is high time it should develop and implement them. In such cases, these will be minimum requirements that address the needs and objectives set out by the command centre. With standard business operations resumed, organisation should supplement them with additional rules.
If remote work involves employees using their own devices, it is worth updating them on basic information handling principles, and specifying minimum security requirements for devices and networks they use.
Free tools such an e-mail in-box or popular instant messengers do not provide for an adequate level of data protection, and are usually not intended for business purposes. The employer should recommend approved communication channels (messengers, platforms, etc.).
It is best to raise awareness and provide training before the crisis situation occurs. However, once we find ourselves in an emergency, it is worth intertwining information on personal data protection threats into the well-established crisis communication channel. For example, one can make employees aware that they can be particularly vulnerable to phishing attacks in the coming days, involving clickable information on coronavirus (scammers used spread maps for this purpose). They should also know what they should do in such an event (e.g. immediately inform IT).
Employers should be cautious, as implementing new personal data security solutions might involve having to satisfy requirements regarding employee surveillance. In such cases, employers should inform their employees of the purpose and scope of such solutions, and the manner in which they are used, in the fashion specified in the Labour Code. Alternatively, they may do so in the work regulations, if such regulations must be adopted.
What must be done in the event of a breach, where, for example, the employee loses the documents they carry, the network falls prey to a hacker attack, or a power outage causes personal data to be lost? First and foremost, it might be necessary to report the breach to the President of the Personal Data Protection Office within 72 hours of the breach being identified. The report should, among other things, describe the nature of the violation and its potential consequences. For this, efficient communication with employees is paramount to properly assess the breach-related risks, and then to provide the authority with all information necessary. In some cases, it might also be necessary to notify data subjects whose data have been breached.
Importantly, if the authorities decide to carry out an inspection in the company due to the data protection breach, all preventive actions previously undertaken may serve as an argument that the controller did implement the technical and organisational measures necessary to protect personal data. This could translate into a reduction of the potential fine.
Ultimately, it is worth remembering that the websites of both Personal Data Protection Office and the Polish Financial Supervision Authority feature useful manuals on counteracting data protection threats, including guidelines on personal data. It is also a good practice to follow information and announcements published by those authorities, and implement their recommendations on an ongoing basis.
This piece has been originally developed by Deloitte Legal Poland.
More information: Combating COVID-19 with resilience