With a significant proportion of the population working from home for the foreseeable future due to the coronavirus (COVID-19), organisations are having to adapt to new ways of accessing systems and communicating with one another.
For some businesses, this is likely to have involved adapting to a completely new way of working, and amidst all the technical learning and colleague welfare concerns, security should also be one of your priorities.
Isn’t the Information Commissioner’s Office (ICO) Taking a Relaxed Approach to Compliance?
Not in relation to security – no. The ICO has said that is is unlikely to take enforcement action if the impact of COVID-19 means that you’re slightly late on a subject access request deadline, but this doesn’t mean that the same approach will be taken if there is a data breach.
Whilst the ICO is generally a fairly pragmatic regulator, and clearly understands that this is a difficult and highly unusual situation, basic attention to security and the protection of personal data will still be expected. Falling short of this because you haven’t considered the implications is unlikely to serve you well if there is a breach.
There are three key areas to ensuring compliance:
- system security
- staff awareness
- record keeping
By now, you will likely have the systems in place to allow work from home where this is practicable. Security will have been one of the initial considerations when selecting and testing systems for this, but it is an ongoing requirement.
Phishing and other attempts to gain access to your systems are likely to increase, and so you must continue robust testing to ensure that the methods you have adopted continue to be safe. Weaknesses need to be identified, and action taken (where possible) to strengthen your defences.
Some of these measures will be relatively simple – such as ensuring software is up to date and installing patches – but these shouldn’t be overlooked. You should be alive to the possibility of increased attacks whilst systems are potentially at their most vulnerable because everyone is trialling new systems, and do what you can to protect your organisation.
Your staff are adapting to a new way of working. This might involve using new and unfamiliar technology. Everyone working in this way needs to understand the ground rules for doing so, and what they need to do to keep information safe.
Ask yourself the following questions:
- Do we have an information security policy?
- Are staff aware of this policy?
- Do we need to make changes to our policy in light of the new way of working?
- Have we communicated these changes to staff?
It’s likely that your current policy will need amending – and possibly extending – in the current circumstances. However, the key element in all of this is ensuring that staff understand the limits of what they can and cannot do. Some messages will be the same, but may need reinforcing – not using public Wi-Fi for example, is likely to still apply, as will only accessing the information needed to carry out the work that is expected. Sending personal data to a home (unsecured) email address is also likely to remain a ‘don’t’, but this may need reinforcing.
Other messages are likely to be new in light of the current isolation situation. How to work effectively in a shared living space, what to do with confidential paperwork that is no longer needed, use of WhatsApp for keeping in touch, how to print via a Citrix system… Whilst some of these may seem like common sense, in times of high anxiety, clear and simple instructions will ensure that everyone is clear on what is expected, and help protect the vital personal information that you are dealing with.
No systems are perfect, and no human beings are perfect, and so mistakes are inevitable. One of the key requirements of the GDPR is that you can demonstrate your compliance, and so recording your decisions and the reasons for them is vital if the worst does happen. Have a record of testing that has taken place, of weaknesses identified, and actions taken. Have a record of discussions around your policy, a record of the changes, and evidence that all staff have received these. If you have this, should the worst happen, you can at least show the ICO that you have done all that you can reasonably do to protect your data.
Across the world, individuals are showing considerable resilience and resourcefulness in keeping key industries going. In the midst of such a crisis it’s easy to lose sight of security and compliance in favour of innovation and ‘getting the job done’, but a data breach could significantly impact your organisation and make an already difficult situation far more complicated than it needs to be. Take some time to review what you have in place, and how you might be able to improve your current policies and procedures, and don’t forget to document your discussions and decisions!