Monday was the second anniversary of the General Data Protection Regulation (GDPR) coming into force in the European Union.
GDPR is a law designed to give individuals greater control of their data. It means that organisations, both inside and outside the EU, must now process data in a way that is “lawful, fair, and transparent”, with data controllers processing the minimum amount of data on individuals living in the EU.
“Appropriate technical and organisational measures” must also be implemented to ensure data is handled securely, and users must consent for their data to be processed and stored. Users can also request a copy of the data collected on them.
Remote working challenges on the second anniversary of GDPR
The second anniversary of GDPR comes at a time when many businesses have had to quickly adapt to widespread remote working due to the ongoing Covid-19 pandemic, which has brought with it challenges for data protection.
Remote working means that employees may have to access an increasing volume of sensitive data outside the office in order to carry out their job while complying with social distancing measures.
With many organisations rushing to implement new remote working strategies, data protection can be overlooked, with employees discussing sensitive information while at home; potentially taking documents away from company premises, which can then be lost or stolen, and using applications or software that have not been approved.
The use of personal devices, which may lack robust anti-virus software, security patches, or may connect to unsecured Wi-Fi, could result in organisations being at greater risk of cybersecurity incidents, which could result in substantial fines if GDPR is not followed.
According to a recent study by data discovery software company Exonar, 24% of people currently working from home due to Covid-19 ‘rarely’ or ‘never’ consider data protection policies when sharing information with colleagues.
A study from ILUX also showed that one in ten employees do not believe their remote working practices comply with GDPR.
“Organisations must guarantee IT security”
It is therefore vital that employers and employees ensure that GDPR is still followed at this time.
“Despite many employees working from home currently, it will not become the ‘new normal’ for everyone. Yet the flexibility associated with remote work is viewed so positively that many employees will be reluctant to give it up entirely. However, in many cases, the home office has been set up in a hurry and without proper planning, without the right system and network security tools in place, and without clearly defined or updated remote work policies including procedures to report a potential data breach or loss,” said Andy Teichholz, senior director of industry marketing at OpenText.
“For example, employees may be using their own private devices such as smartphones and laptops without them being adequately protected and/or having disregarded and circumvented their employer’s security requirements or rules regarding content management and file transfer. If incidents such as hacker attacks and data theft subsequently occur due to a lack of effective IT security, this can have very severe consequences for companies.
“Organisations must guarantee IT security both in times of crisis and beyond. If the home office becomes a permanent institution, organisations must ensure that all personal data is lawfully processed and protected. Companies must adapt to these new circumstances to ensure a level of security taking into account the new risks presented by data processing activities so they can, despite the crisis, face the third year of GDPR compliance with composure.”
GDPR and contact tracing
Along with remote working concerns, the use of data as a way of monitoring the spread of the virus Covid-19 has also created a GDPR conundrum, with some asking whether data regulations could stand in the way of efforts to contain the further transmission of the virus, while others warn of the privacy implications of initiatives such as contact tracing apps.
The European Data Protection Board (EDPB) has issued a statement stressing the importance of ensuring data protection rules, such as GDPR, “do not hinder measures taken in the fight against the coronavirus pandemic” but that data controllers and processors must “ensure the protection of the personal data of the data subjects”.
The statement said that in the context of a pandemic, the processing of personal data by health authorities or employees may be necessary without the consent of individuals “when processing is necessary for reasons of substantial public interest in the area of public health”.
However, data must only be processed for “specified and explicit purposes”, should be transparent, proportional and should anonymise location data wherever possible.
“With so much focus on Covid-19 in recent months it might be easy to miss an event such as the second anniversary of GDPR. The topic however, till remains very relevant as there is much talk around the world, and here in the UK, regarding the use of mobile apps to support infection Test, Track and Trace,” said Charles Southwood, regional VP of Northern Europe and MEA at Denodo.
“Concerns over the invasion of privacy and whether there’s the the potential for collection of PII from these Apps has been much discussed in the press in recent weeks. Whilst the pilot version for the UK’s contact tracing. An app has been offered out to the residents on the Isle of Wight, the UK Health Secretary, Matt Hancock has announced his confidence in UK-wide roll-out by 1 June. We therefore watch with interest, the level of app use as citizens will need to balance their GDPR concerns (founded or unfounded) against the clear value to themselves and society in helping support such an obvious life-saving initiative.”