Skip to main content
Perspective:
Perspective
24 Mar 2020

GDPR: How to strengthen your business against data breaches in the era of COVID-19

Covid-19 crisis

We present the most important challenges related to GDPR as part of remote work in the age of pandemics, as well as practical ways to deal with them without the need for entrepreneurs to incur significant costs.

The fight against the COVID-19 epidemic meant that the vast majority of entrepreneurs introduced - at least in part - various forms of remote work. Striving to limit the presence of employees in offices is associated with the implementation of work mechanisms from the place of residence for various groups of employees. However, if the enterprise did not have a remote work culture before, a sudden "exodus" from the offices may find the organization and its employees unprepared for data protection risks, including personal data.Threats flowing, among others there is a lot to be seen from the use of new technologies in remote work, and understandable fears related to the threatened financial liquidity of many enterprises do not encourage investment in security and postpone the protection of personal data.

 

Personal data protection during remote work - danger areas

 

First of all, it should be reminded that, according to the GDPR, a personal data breach is any breach of security that leads to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed. Therefore, such a violation will not only be a situation in which data "leak", i.e. fall into the wrong hands (e.g. as a result of a hacker attack), but also e.g. loss of access to data due to loss of documents or damage to a data carrier (e.g. work stick 'and).

So what circumstances related to remote work increase the organization's vulnerability to the above threats and constitute potential data security vulnerabilities? These undoubtedly include:

a) in the aspect of IT security - from the employee's perspective:

  • acting contrary to the employer's guidelines regarding the processing, storage and transmission of information, the use of unprotected private and mobile devices, respectively (e.g. no anti-virus, non-updated system software and applications, no encryption of resources, etc.) and Wi-Fi networks ( e.g. no strong network password)
  • using improper tools that do not ensure adequate protection of personal data (e.g. popular free instant messengers) or using social networks for company communications (unless they have been previously approved for this purpose);
  • information chaos regarding issues related to combating SARS-CoV-2 virus, increasing susceptibility to e.g. phishing;
  • failure to provide multi-factor authentication in VPN services or other corporate services (O365, OWA, etc.) available (visible) from the Internet;
  • no emergency plan / alternative communication and work scenarios in the event of unavailability (e.g. as a result of congestion) of basic remote work services (VPN, communication platform, etc.)

b) in the aspect of physical data security:

  • moving documents and information carriers from place to place (e.g. from the office to the home);
  • threats resulting from non-adaptation of home space to work, such as the possibility of destruction or theft of sensitive documents.

c) in organizational aspect:

  • lack of basic means of business continuity and spare devices (e.g. lack of electricity, equipment failure, but also a prosaic failure of a mobile phone or headphones);
  • potentially difficult access to persons providing support in the protection of information (IT Department, data protection officer, compliance officer etc.); and
  • low level of employees' knowledge of the risks related to the protection of personal data, in particular in situations where previous training and awareness campaigns focused on threats occurring in the normal course of work.


Threats, as already mentioned, there are many, but ways to counter them do not have to be complicated and expensive. It is worth looking at the most important of them.

Ways to counteract threats

 

Remote work procedure for employees

If your organization has not yet adopted procedures for the protection of personal data as part of remote work, this is a good time to develop and implement such rules at this time. In this case, they will be the basic guidelines adopted to address the needs and goals set by the crisis staff. They will be supplemented when normal business operations are restored.

Minimal security requirements

If remote work involves the use of their own devices by employees, it is worth updating employees' knowledge of the basic principles of dealing with information, as well as specifying / recalling the minimum security requirements for the devices and networks they use.

Eliminate the use of free tools

Free tools, such as e-mail or popular messengers, do not provide an adequate level of data protection and are usually not intended for business use. The employer should instruct employees which communication channels (messengers, platforms, etc.) they accept for this purpose.

Education and awareness raising

Awareness and training is best done before a crisis, but if you are already in it, it is worth to include information about the risks to personal data in the established channel of crisis communication with employees. For example, it is worth making employees aware that in the coming days they may be particularly vulnerable to, for example, a phishing attack hidden under "clickable" information about coronavirus (scammers used for this purpose, e.g. SARS-CoV-2 spread maps), and what they should do in in this case (e.g. immediately inform the IT Department).

When the violation has already occurred

 

What to do, however, if the violation has already occurred, e.g. an employee lost the transferred documents, the network fell victim to a hacker attack or a power failure caused that personal data was lost? First of all, it should be remembered that it may be necessary to report the violation to the President of the Office for Personal Data Protection within 72 hours of finding the violation. The notification should contain, among others description of the nature of the infringement and its possible consequences. To this end, efficient communication with the employee will be necessary to properly assess the risk associated with the violation, and then provide the authority with all required information. In some cases, it may also be necessary to notify those affected.

Did you find this useful?

Yes
No

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Recommendations

Ukrainian nationals: Residence and work in Lithuania

Lithuania has already introduced a preferrable regulation on work and residence of Ukrainian nationals.
Perspective
minute read

A guide to pre-insolvency and insolvency proceedings across Europe

Different restructuring and insolvency regimes in the 27 EU member states create legal uncertainty and place high demands on stakeholders in terms of obtaining information, but also in terms of conducting or participating in restructuring and/or insolvency proceedings.
Perspective
minute read

Dealmaking in Central Europe

What is the most frequently used purchase price mechanism for M&A transactions in Central Europe?
Perspective
minute read

Beneficial owners | Deloitte Lithuania | Legal Alert | News

Please find below the information about the amendments of the Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing that came into force on 1st January 2019.
Perspective
minute read

Let's connect

Deloitte Legal means the legal practices of DTTL member firms, their affiliates or their related entities that provide legal services. The exact nature of these relationships and provision of legal services differs by jurisdiction, to allow compliance with local laws and professional regulations. Each Deloitte Legal practice is legally separate and independent, and cannot obligate any other Deloitte Legal practice. Each Deloitte Legal practice is liable only for its own acts and omissions, and not those of other Deloitte Legal practices. For legal, regulatory and other reasons, not all member firms, their affiliates or their related entities provide legal services or are associated with Deloitte Legal practices.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.

© 2024. For information, contact Deloitte Global.