The state of play today
Mike Tyson famously once said, “Everyone has a plan until they get punched in the face”, and it’s fair to say that every business throughout the globe is currently reeling from the historic haymaker delivered by COVID-19. In the UK, all non-essential business premises have been asked to close and consequently full-time homeworking has been enforced upon many of us as “the new normal”.
Many businesses have gleefully informed the world that they adopted disaster-proof business continuity plans for just such an occasion years ago, however the palpable sense of an online network creaking at the seams and the absence of such Nostradamus-like qualities in the remaining business world would suggest that everyone will be required to make adjustments as we navigate this difficult time.
With the toothpaste well and truly out of the tube, we’ve put together some of the key actions relating to data protection that businesses can undertake to start their adjustment to a home working structure, manage some of the issues that will spring up over the forthcoming weeks or just bench mark against their existing business continuity plans. These actions are intended to compliment the remote working tips we’ve been publishing to help individual employees working from home.
Know the risks
The Data Protection Act 2018 (DPA) requires all controllers of personal data to undertake a Data Protection Impact Assessment (DPIA) prior to any processing activity which is likely to result in a high risk to data subject’s rights and freedoms. In our “business as usual lives” these would often be triggered by a proposed change in processing systems and new technology, but they may be a worthwhile (or possibly mandatory) tool for assessing the potential impact of transitioning from an office-based to home working environment.
Begin by working with key stakeholders to audit, identify and minimize any risks that the alteration has, or may possibly cause. This may be after the fact due to the nature of the transition but should be conducted regardless. If the transition was conducted in haste, start to look for and address weaknesses retrospectively.
Investigating and recording these risks will go some way to fulfilling your ongoing accountability obligations, but also provide an important framework to solving any current issues and nipping any future problems in the bud.
Adapt existing frameworks
Despite the working world being turned on its head, there’s no need to give yourself more homework than necessary. The sensible approach is to adjust existing policies to account for business activities being conducted outside of the physical office. Consider the following opportunities to leverage your current policies and practices, such as:
Implement any controls identified in audit/DPIA process
Nobody is perfect and even the outfits with the tightest data protection controls will need to assess how their practices have stood up under current circumstances. If you have identified absent controls (such as policies, contracts with third parties or technical system improvements) in your audit (see “Know the risks” above), now is the time to develop and implement.
We all hope that things will return to normal as soon as possible but hoping for the best once you’ve identified the risk is not good business practice and certainly not compliant with your accountability obligations. It’s common to require updates or complete drafting of Bring Your Own Device (BYOD) policies if employees use their own equipment for work purposes, as well as other key documents such as data protection, information management or government policies. Likewise, there are still plenty of high-quality IT and information security support services able to remotely assist with technical improvements to reduce any risks you’ve identified, or require assistance identifying.
It’s not one of the most gratifying data protection tasks, but it’s likely that transitioning to a completely work from home structure is going to affect where and how personal data is processed within the organisation. Accordingly, the Record of Processing Activity will need to be updated, as well as any other asset registers or logs which are used to document this.
Review your risks
Things may continue as they are for a while and it’s unlikely that any transition back to BAU will be completed quickly and without further upheaval. If you don’t have one in place already, build an information governance team and risk register to monitor the ongoing threats to the organization. Ensure these risks are reviewed regularly and updated in light of any incidents or planning for a transition away from working from home.
Record your actions
All of the work undertaken to manage the risks presenting themselves currently will not be in vain if you manage to accurately record and learn from your actions. All organisations functioning today are doing so in a “business continuity” manner by adjusting to demands which are far outside of the BAU we plan for in our short- and long-term strategies.
If you didn’t have a fully formed Business Continuity Plan (BCP) prior to now, then this will provide a strong framework from which to build and improve. If you do already have a BCP, then continual benchmarking and assessment will be key to utilizing the benefits of your preparation and adjusting to any unforeseen demands, which are all too common at present.
The Information Commissioner’s Office have agreed to take a pragmatic approach to enforcement during the current pandemic and insist that data protection should not be a barrier to business during these times. However, they will continue to monitor the actions of organisations and ensure they continue to uphold their obligations under the DPA 2018. The actions discussed above are designed to aid with these obligations and, importantly all of these measures will assist with the ongoing duties to secure and protect personal data, which continue to be upon us regardless of the conditions.
Are you looking for more guidance? Enquire below
Fill in your details below and we’ll get back to you as soon as possible