As the COVID-19 pandemic shows no signs of slowing down, companies are finding themselves asking questions around data compliance, security, protection and privacy.
The new challenges are forcing organisations to ensure that all their digital experience platforms are not only more secure than ever, but also forward-facing.
Since organisations have now had to change the way they work (remotely), many had no choice but to hurriedly rush to the cloud, with a pressing need to start using new technologies and solutions.
In fact, one of the most major challenges they have faced as a result is from a data protection and regulation standpoint – companies now have an obligation to update their processing activities, update or initiate new contracts and data protection agreements, refresh training modules to include the new technologies, just to name a few – all while complying with GDPR laws.
How organisations need to change their ‘way of working’
The COVID-19 pandemic will without a doubt affect how companies operate, which is why their use of personal data needs to be 100% compliant with data protection laws. Failing to do so can result in very heavy fines.
Due to the extraordinary efforts companies have made to keep their employees and customers safe, collection and processing of new types of data about employees, for example, is now required. A major portion of this new information being collected falls under “personal data” and “special categories of personal data”. The use of this data is subject to strict compliant under EU GDPR.
Here is a brief overview of some of the key issues companies must take into account from an EU data protection security and compliance standpoint:
Any COVID-19 related information collected may fall under ‘personal data’ or ‘special categories of personal data (SCD)’
In order to manage the impact of the outbreak and ensure that decisions are well-informed, companies may need to collect information from employees that may not be collected otherwise.
For instance, data collected on employees such as whether they have self-isolated themselves, body temperature readings, device location data and people they were with on a given day – can be regarded as personal information. Even though it pertains to the individual’s health and wellbeing, it falls under the SCD sub-category.
How personal data and SCD is processed is subject to strict compliance as imposed by GDPR laws.
Best to undertake a DPIA before acquiring personal data and/or SCD from employees in regards to COVID-19
To play it completely safe, companies must consider undertaking a DPIA (data protection impact assessment) before they collect any person data or SCD from their employees in regards to curbing COVID-19 spread.
A DPIA serves to help companies understand the specific risks related to certain data processing activities, as well as the measures to be taken in order to curb all such risks. It can also inform the changes which may need to be implemented in other data protection-related compliance areas within the company – such as privacy notes or records of processing activities.
We’ve barely skimmed the surface here as this is a very broad topic indeed. Organisations should pay heed to the above in order to avoid fines, and pay special attention to the benefits of undertaking a DPIA.