Everything may have changed but the GDPR is still here
Alexander Egerton examines the need for businesses to comply with the GDPR as the coronavirus pandemic pushes them online
The pandemic has challenged how organisations win and retain business and employ their staff. Few businesses can switch back to their February 2020 model. Even if they could, many now see viable opportunities, which, without the pandemic, they may never have been made aware.
Some of these businesses may not have considered the General Data Protection Regulation (GDPR) implications of these revolutionary changes. There are two major shifts to come out of the pandemic for businesses: no longer relying on offices or central paper records to interact with their customers, and employing their staff remotely. Put simply, the business’ IT network is the new office.
Quick summary – GDPR compliance
EU and UK privacy regulators want to see that businesses have:
- Identified the personal data they process;
- Assessed whether the processing is “lawful”;
- Put systems in place (not just IT security but clean desks too) that protect the integrity of that personal data.
The GDPR was never a set of rules to prevent businesses from using data; instead it is a framework that asks businesses to justify what they are using the data to do and to consider how secure the data is. As such, any GDPR compliance programme will reduce the risk of business interruption as the weak links will have already been identified. If businesses have not considered their privacy regulations, the Information Commissioner’s Office (ICO) retains the power to fine them either two percent or four percent of turnover, which is likely to be catastrophic at a time when many are struggling.
The new virtual office
Clearly, businesses that relied on people visiting their physical premises or facilitated people meeting others have suffered during the pandemic. However, in a world where people cannot visit premises to facilitate business and instead have had to convert to an entirely online model, they have faced serious challenges. With little to no notice, they have had to use their IT systems to both facilitate and process everything remotely. Businesses are also aware that lockdown gave people time to use technology that they previously may not have been aware existed to create transactions that would have otherwise been done in person. As such, there is a large pool of potential business to exploit.
A prime example is retail, with retailers hoping to replace lost sales by ecommerce. Digital platforms, whether these are apps or social networks, have become popular with users. Businesses consider that these new users are the customers that will replace the footfall that has gone, but they may not consider the GDPR effects that come with the transition.
In its simplest form, when a consumer buys in a store, the retailer (unless the business uses a loyalty scheme) will have no record of the customer. When a consumer buys online, the business will by definition collect a lot of consumer data, including their name, address, contact details and retail preference. Is the consumer aware of this? How will the business use that data? For how long will the business retain the data? Will the business be tempted to then market to the consumer? How secure is that data? The backdrop here is that the ICO’s enforcement action to date shows that they’re more likely to fine businesses that market to consumers without thought or have not properly assessed how secure their systems actually are. When assessing their GDPR, therefore, businesses need to assess how and why they are storing client or customer data.
Businesses now have to work with their clients and staff remotely. The platform or portal has now become the office.
Any effective GDPR compliance programme will look at the increased use of digital platforms and the decreased use of data being handled physically in one place, and risk assess them.
In terms of the new virtual office, the GDPR challenges businesses to consider the following:
- Account for all the personal data your system collects: what data; why and for how long do you keep it?
- Who has access to what data on the system?
- What direct marketing do you do? Are the recipients consumers?
- How secure are your systems? Have they been reviewed externally? Are there firewalls? How do you back up? Is there a disaster recovery plan in place?
The new remote offices
This requires less of an introduction. Many office workers and professional people are exclusively working at home. They use the system to process data and rely on everything being available so they can access the information they need. Now, some are questioning whether offices will still be needed.
In terms of the new remote office, the GDPR challenges businesses to consider the following:
- Some of your staff will retain paper documents and may have even taken paper data home with them. If so, how secure are they? Can children or pets compromise them? Will guests or cleaners have access? How is this paper data out onto the system?
- Some of your staff will not find your system easy to work on remotely. Have you identified them and offered training? In the absence of that, will they use their own IT (iPads; laptops) to work instead of or in addition to the business’ more secure IT system?
- How strong are the passwords that workers use? Remote access solutions are always vulnerable. If passwords chosen by staff are weak or can be ascertained from an employee’s social media page (this is where hackers look), then the business is exposed.
- Phishing or malware is a greater threat. With the business relying on the system without the back up of paper files, a successful attack could be devastating. For staff working remotely, talking to fellow workers is “higher entry” – they have to call or email and therefore do not have the easy opportunity to discuss suspicious emails with colleagues as they would when in an office or physically together. The increased volume of emails means that each email is allocated less time by the workers. Working remotely has a higher risk of an employee falling for malware or phishing.
- For a business that suddenly had to vacate its office, how secure is the paper that was left behind in the now empty office. Was it just left on desks?
- How does the business intend to monitor those working remotely?
These sudden changes to how companies operate have led to them rushing to implement new digital interfaces, but in so doing, they need to re-evaluate how the business functions. Although the two changes are different conceptually, the risk assessment is essentially the same. But this time, the stakes are higher, as the more a business relies on an IT system and digital processes, the less likely it is to survive an incident and the GDPR consequences that follow.
The ICO will hold businesses that have not considered privacy as they make these changes to account. Even if the ICO imposes remedial measures to allow the business to adapt instead of a fine, there is still the reputational risk to consider. All ICO action is disclosed on their website. Beyond this, those who have dealt with a business that they consider has been negligent with their personal data are likely to cease dealing with that business and tell others.
Alexander Egerton is a partner in the Corporate team at Seddons