1 Data Privacy
It is unlikely that you will be collecting personal data relating to Covid-19 from your customers, but you might be about to do so for your employees. But have you considered what data will you be collecting, how long will you be keeping the data for and what will you be doing with the data?
If you are considering taking people’s temperature when they arrive at the office, you will need to explain why and what happens if it is a positive or negative result. I would recommend that this data is not retained because tomorrow is a completely different scenario.
Alternatively, you might decide to operate your own track and trace system where if someone who has been to the office reports having symptoms, then you will inform others who may be have been in contact with that person. But if you decide to do this, you must decide whether or not you give out the infected person’s name and how long will you keep the fact that they’ve had symptoms for. Also what will you do with the data about those who have subsequently had to self-isolate?
Some companies have also been collecting data to determine if any employees might be vulnerable, or live with vulnerable people, and you must ask yourselves the same questions as above. Or can you achieve the same results by asking less intrusive questions, or not asking any questions at all?
2 Physical Security
Physical security often takes the form of key cards or touch pads which require people to touch the same spot over and over again. To prevent this, you may have considered an alternative security system and might even have thought of hands-free systems such as facial or iris recognition systems to reduce touch points.
And while these are excellent solutions, using them means that you will be processing biometric data (which is categorised as special personal data), and therefore you will need to consider the lawful basis for doing so. You would also need to tell your employees what and why you are doing it, and this requires an update to employee privacy notices. You must also consider what you would do if some people refuse to use the biometric access control systems; what are the alternatives? And how will you deal with and inform visitors and contractors, if you allow them on site?
3 Network Security
Since the beginning of the lockdown, it is likely that the whole architecture of your company network has changed. The IT team will have done a brilliant job of getting people connected in a very short space of time so that employees can work from home, however their initial solution may not be the most optimal now that we are starting to return to normal.
Therefore, you will need to review what security measures are in place for people working from home, e.g. VPNs etc., and what is needed in the office. Are there better software solutions available that will improve security whilst maintaining access? How will this affect your customers and their experience of contacting you, or buying from you?
And beyond software, it’s a good time to refresh your staff training on how to spot phishing and bugged emails. It should come as no surprise that hackers have turned their attention to home workers in recent months and to avoid your company falling victim, your employees need up to date training.
4 Technical Security
Making sure that all company assets have the latest security patches and programmes installed is going to be a challenge when more people are going to be working from home and even more so if they’re using their own devices.
Having a comprehensive programme for patching, penetration testing and assessing vulnerability generally is vital. And in doing this, you should also consider how up to date and relevant your Information Security and BYOD policies are.
5 Asset Management
With many people working from home, have you considered what changes there have been, and will be, in terms of the management of your assets? Naturally we’re mostly talking about technology assets such as desktops, laptops, scanners and printers. Is there a register for them and is it up to date? If people are leaving the organisation while working from home is still in place, how will you retrieve your assets and what will you do with them, e.g. do you have a proper asset destruction procedure?
Will you need to change the mix of assets and will more people have laptops instead of desktops to enable them to work from home? Or will more people be using their own devices? If so then you will need to think about the security of those assets, how you can ensure acceptable use of the internet and whether you will need to deploy additional security software.
6 Access Control
As with asset management, what has changed in terms of access control? It might be that your organisation has furloughed a number of people and made others redundant, therefore have the correct leavers procedures been followed for those people no longer in the business? Also, if there have been changes to the staff numbers and roles, will those remaining need different access rights to central files and CRM systems? Might you need to review access rights more regularly? It can be very easy to let these things slide in such fast-changing times but, remember, you have access control policies for a reason.
7 Business Continuity
You have probably managed this pretty well by now, but I bet there were things you could have done better. As the dust settles, you should look at updating your Business Continuity Plan, making sure to include data protection and information security measures if they weren’t there before, and re-communicate the plan across the organisation.
8 Incident Management
Aligned to the above point, have you considered what would happen if there is an incident, such as a data breach? It is going to be much more complicated to manage this when people are working from home, both in terms of the investigations and initial recovery, but also the communications during the incident – although we are all now becoming experts with MS Teams, Zoom, Google Meet etc.!!
Have your processes changed at all and how has the ‘new normal’ affected your processes generally? If the activities that process personal data have changed then you will need to have updated your Records of Processing Activities and if you have data maps these will need to be re-looked at again.
And finally, how will the new normal affect governance? Do you need to review and revise your risk registers and therefore the risk mitigation measures? Are your policies and procedures relevant? How will controls be audited? Do you, or will you, include business continuity, data privacy and information security in your management meetings? This all needs to be thought about.
There are many considerations that need to be taken into account before you can get employees, contractors and visitors back into the office. These are not insurmountable, but there must be some risk assessments, planning, updating of documentation and good communications undertaken to make sure that you not only stay compliant, but also provide good information to anyone who arrives at the office.
Other information sources: