The mass migration to remote working due to Covid-19 has created unexpected General Data Protection Regulation (GDPR) issues. Here is the latest information on regulation and what you need to be aware of.
The first week of May will see the two-year anniversary of GDPR, rules which ensure that organisations collect personal data legally, and under strict conditions. In addition, those who collect and manage data are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners.
During the Covid-19 crisis, the UK regulator, the Information Commissioner's Office (ICO), is relaxing its approach to GDPR enforcement, in line with its commitment to being “pragmatic” and “proportionate”.
The ICO will take into account the strain on frontline services and organisations facing staff shortages and financial pressures when applying data protection laws.
In April the ICO said, “We acknowledge our responsibility to take into account these exceptional circumstances. We set out the flexibility the law gives us to be a pragmatic and empathetic regulator. We confirm our efforts will be focused on the greatest threats. And we acknowledge the important role that people’s information rights will continue to have.”
In terms of practical advice for remote working, there's a risk that businesses don't instil a proper process for transferring files including personal data - either through a secure file transfer provider or at least ensuring staff are locking documents and sending passwords separately.
Additionally, with so many people working from home, it's about ensuring that secure internet connections are being used - not borrowing other people's or using open networks.
Businesses will be trying to do a lot of free marketing to pick up new clients in the current climate therefore it’s critical that businesses know their legal basis for processing data - i.e. have they got consent and can they prove it? If not, can they use legitimate interest? Importantly, they should pick one reason and have proof of it.
In the current lockdown it is unlikely that you will be travelling extensively for work but when restrictions are eased remember that lost and stolen mobile devices and laptops are easy pickings for cybercriminals. The first line of defence is to look after them - always keep them in sight when in use, and never leave them in a vehicle.
Aside from remote working, if your startup is building new technology, here the UK Information Commissioner gives a few areas of data usage focus. It is Covid-19 specific, but the advice transfers across to any new tech build and processing customer data.