25th March 2020
Businesses processing personal data need to keep protection of customer and employee data at the front of continuity planning as they tackle the coronavirus threat.
Staff are likely to be working remotely or in different circumstances which could make customer information more vulnerable to data breaches and cyber-criminals are ratcheting up their fraudulent scams. Alongside, data relating to employee health during the pandemic may be subject to special security requirements.
Businesses are implementing contingency planning, with staff working from home and using domestic internet and possibly personal devices to access cloud-based software and systems, making it more important than ever to keep data safe and secure, as fines for data breaches will still apply.
The General Data Protection Regulation (GDPR) provides strict operating boundaries for businesses processing personally identifiable information about individuals with a statutory obligation to notify the regulator of any breach which places an individual’s personally identifiable information at risk. It also gives wide ranging power to the UK’s data regulator, the Information Commissioner’s Office (ICO), who can impose high penalties for breaches.
Tackling the threat of coronavirus is taking us into uncharted territory. Whilst data protection laws shouldn’t stand in the way of flexible working, it does demand an even greater attention to security measures. The processes that you usually use in your office need to be tailored to suit your business’s newfound circumstances.
The human element is often the reason for data breaches and without direct supervision and colleagues to consult, these may be more likely to happen. Certainly, there are reports of a steep rise in attempted cyber fraud, with many more phishing emails, malware and social engineering, where fraudsters dupe staff into revealing information or making money transfers.
The other major threat to data security during the crisis is the handling of individual information about staff and visitors who have travelled to high risk areas, symptoms, test results and when self-isolation has taken place. This is personal data protected by GDPR, but where it concerns health it may be special category data under Article 9 of GDPR, which requires special security measures.
Such information should be collected and used only as absolutely necessary in managing risk and should not be retained unless essential, such as for an insurance claim.
Ideally the management and sharing of information is set out in a policy so you know who to tell and what information is shared with whom. So, for example, the ICO has said that it is OK to inform other staff if someone tests positive, or is suspected of having contracted the virus, so as to protect the health and safety of all, but to avoid naming those individuals.
The ICO has published advice to help organisations in facing up to the data management challenge and while they say they will be pragmatic about matters such as speed of response to information requests during the crisis, there is no suggestion that they will accept reduced standards of data security.
Regular training, clear policies and guidelines and the use of technology will all help to protect valuable information from leaking outside of your business. Ensure that your staff know who to report data breaches to and do so in a timely manner so that if they do occur, they can be properly managed.
Organisations will be struggling to keep pace in this fast-changing environment. It’s important to make sure you don’t drop the ball when it comes to data. If you end up with a breach and compromised data, it will be a serious issue. The ICO has the power to impose fines of up to €20m or 4% of total worldwide turnover and the damage to corporate reputation can be immense.
If you are concerned or want to check that your GDPR processes are up to scratch, then please get in touch with our Company & Commercial Team at Lamb Brooks. You can call us on 01256 844888 or email firstname.lastname@example.org.
Support for Businesses: Coronavirus Job Protection Scheme
Home Working Procedures During the Covid-19 Pandemic
Choosing a Partnership Structure
The contents of this article are for the purposes of general awareness only. They do not purport to constitute legal or professional advice. The law may have changed since this article was published. Readers should not act on the basis of the information included and should take appropriate professional advice upon their own particular circumstances.
Lamb Brooks LLP
Victoria House 39 Winchester Street Basingstoke Hampshire RG21 7EQ
f: 01256 330 933
Your Name (required)
Your Email (required)
© Lamb Brooks is authorised and regulated by the Solicitors Regulation Authority - SRA No 559661.
Lamb Brooks LLP (registered at Companies House OC363909) whose registered office address is: Victoria House, 39 Winchester Street, Basingstoke, Hampshire, RG21 7EQ
Website by Muze
Client Care Policy | Accessibility Statement