As the COVID-19 outbreak continues to unfold, businesses are dealing with new and unprecedented operational, economical and legal challenges. This new situation require companies to both act and react to the new business landscape quickly. One of the areas that needs to be addressed specifically as a result of the COVID-19 pandemic is data protection. Businesses now need to consider how they comply with regulations for processing of personal data for health monitoring purposes, deal with crisis management issues and what steps to implement to ensure that privacy compliance programs are being followed.

Moving forward, it is important to ensure business continuity, including with respect to privacy compliance programs. To limit disruptions of daily business operations and maintain appropriate internal governance, leadership and oversight functions should continue to operate effectively. Appropriate escalation processes should be in place to handle high-risk privacy matters, and procedures for handling requests of data subjects exercising their rights under the EU General Data Protection Regulation should gradually go back to normal.

Business continuity guides

While the long-term outlook of the COVID-19 (coronavirus) pandemic is still highly uncertain, all levels of the society – businesses, families, individuals – need to adapt to new, troubling challenges. For businesses these challenges include supply and demand disruption and for individuals, which a company’s workforce consist of, challenges such as social distancing and serious health implications.

Business continuity is crucial – staff must be protected and able to work effectively so they can contribute to the economy and society. Thankfully, solutions to keep employees safe meanwhile assure business productivity exist that can be rapidly implemented at scale.

Processing of Personal Data for Covid-19 Detection and Prevention purpose

All data processing operations, however, must be proportionate to the purpose that the data controller is seeking to achieve. In addition, the data processing must respect the other data protection principles and requirements set forth by the GDPR, such as the principle of data minimization (i.e., avoiding excessive information collection) and the requirement for transparency (i.e., ensuring that data subjects are fully aware of the processing of their personal data for COVID-19 detection and prevention purposes).

EU data protection authorities, among others, have issued recommendations for a number of practices involving the processing of personal data for COVID-19 detection and prevention purposes, including:

  • As a general best practice, companies should avoid conducting systematic surveys for COVID-19 infections of employees or their relatives, contractors and visitors. Conducting mandatory temperature tests of these individuals similarly may be problematic from a proportionality perspective, but mandatory temperature tests could be justified in limited individual cases if no other less intrusive measures are more relevant. With respect to reporting, companies may encourage employees, contractors and visitors to voluntarily report travel to any high-risk areas, but companies should avoid issuing mandatory questionnaires regarding all recent travel.
  • Identity of infected employees: Due to confidentiality and data minimization obligations, companies should generally not reveal the names of employees infected with COVID-19, but may inform others (including coworkers, customers and public authorities) about an infection or the number of infections within the company’s workforce. If revealing the name of an employee who contracted the virus is strictly necessary for prevention purposes and the applicable national law permits doing so, the employee at issue should receive advance notice.
  • Employees’ personal contact details: In general, the processing of employees’ personal contact details, such as private cell phone number and email address, is allowed to the extent necessary for the employer to communicate with the relevant employee for COVID-19 detection and prevention purposes.
  • Although there is a certain level of consistency in the COVID-19-related issues addressed by regulators, guidance of data protection around these issues varies by country within EU. As a result, when designing COVID-19 detection and prevention measures involving the processing of personal data, companies operating in multiple EU Member States should examine requirements and regulatory guidance at a national level.

Crisis Management

Cybersecurity Preparedness

The number of cyberattacks to company systems have increased and are likely to continue to increase as a result of businesses’ and workforces’ moving online in response to COVID-19 confinement measures. Cyberattacks can cause disruption to company systems and expose personal data to unauthorized access by third parties. In light of these concerns, it is important to review and, if necessary, revise the company’s cybersecurity preparedness measures and incident response plans to ensure that they are adapted to the new reality of doing business remotely.

Safe Teleworking

As businesses continue to rely heavily on teleworking, companies also should consider setting up, or finalizing the setup of, employee remote working practices to ensure the safety of company systems, including the protection of personal data residing on those systems. For example, allowing employees to use personal devices to connect to the company’s network may pose particular risks for system security and unauthorized disclosure of personal data. These risks typically should be addressed in a robust bring-your-own-device (BYOD) policy. Companies should also consider providing appropriate training to educate employees and raise awareness about safe teleworking issues, such as which cloud-based resources employees may use when working remotely, using a secure internet connection, the importance of using strong passwords, implementing firewalls and anti-virus protection on any personal devices, and securely transmitting or disposing of documents containing personal data. As a best practice, companies should establish guidelines regarding handling files at home where required, such as for HR managers who may need to transfer employee files to their home office during the teleworking period.

To the extent that the teleworking situation is likely to last for a long period or become the company’s standard, the company should consider developing and maintaining a safe teleworking policy. Alternatively, updates to relevant parts of existing policies, such as an IT system’s monitoring policy or acceptable use policy, could achieve the same result.

A practical way to raise awareness internally about safe teleworking is to provide examples in the relevant policy or communication regarding unsafe behavior that puts information security and personal data at risk when employees work from home (e.g., changing laptop settings, letting others at home use the company device for personal use, sending confidential documents to personal email accounts or allowing others to overhear business conversations). Updates to other company policies also may be required because of the novel teleworking situation and the particular risks related to teleworking, such as information security policies. Directing employees to the relevant resources and issuing updates or reminders in stages, to manage priorities effectively, would be useful. Teleworking also may raise new challenges for existing employee monitoring practices or create a need for additional employee monitoring measures, which should be assessed from a national labor and data protection law perspective.

Vendor Management

As the implications of COVID-19 continue to evolve, identifying the vendors that are critical to the company’s business, services or communications (e.g., video conference vendors) is recommended for business continuity purposes. For key vendors, companies should consider (i) listing the relevant contact persons and their respective contact details and (ii) identifying alternative resources that may be used if necessary to mitigate an immediate data protection issue involving the vendor.

Vendor data protection issues may vary depending on the vendor’s type of business, but such issues could include, for example, (i) disruptions in individuals’ availability and workflow continuity due to the unavailability or technical inability of the vendor to provide a service or fix an issue, (ii) data security issues, (iii) issues deleting personal data after the termination of the service or (iv) a delay in notifying customers in the event of a data breach. In anticipation of potential issues, contracts or relationships with key vendors may need to be reviewed to strengthen protections such as data security and incident notification or to identify alternative contacts in case certain contact persons become unavailable.

Organizational Measures For Business Continuity

In times of uncertainty, ensuring the ongoing availability of resources within an organization is important to limit disruption to daily business operations and maintain appropriate internal governance.

Leadership and oversight: To handle a crisis effectively, it is important that senior leadership and their support functions remain available and continue their oversight when working remotely. These essential parties and functions can include the general counsel office, the chief privacy officer team, the data protection officer team, the incident response team, and procurement and vendor management functions. In addition, employees should know who to contact for data protection review of products and services in the event key individuals or the data protection officer becomes unavailable. Organizations should consider establishing a record including how data protection responsibilities are divided between senior managers, relevant review teams, their current contact details, availabilities, replacements and media where key business information and correspondence is stored, in case someone becomes temporarily unavailable. This will help to obtain approvals, issue notifications and make decisions regarding the processing of personal data in connection with product updates or employee privacy issues as business operations continue amidst the pandemic.

Accountability and escalation process: While personnel are settling in their home offices and business meetings are held remotely, documentation required to demonstrate a company’s accountability with respect to the processing of personal data should not fall through the cracks. For example, it is vital for companies to know how data protection impact assessments (DPIAs) will continue to be conducted and to have a process for maintaining records of current data processing activities in place. Taking these steps will also help relevant teams know how high-risk privacy matters should be escalated internally,if required for making decisions during an emergency event.

Data Subject Requests: Companies are likely to continue to receive requests from data subjects exercising their data protection rights under the GDPR, such as their rights of access to or deletion of their personal data. From an operational perspective, it would be helpful to consider how the company will handle data subject rights requests moving forward. The GDPR requires companies to assess and respond to such requests within one month of receiving the request, but it permits an extension by two another months if necessary, taking the complexity and number of requests into account. If an extension is required, the company should communicate the reason for requesting the extension and document the reasons the company is unable to meet the statutory timelines to the data subject. At this time, data protection authorities are in general understanding that the challenges companies currently face, in trying to handle business operations during the COVID-19 outbreak, may require diverting resources to prioritize other areas. Although some data protection authorities (e.g. UK and Ireland) have explained their support for organizations that are in the frontline of fighting the pandemic (for example, health care providers and governments), the authorities says they are not able to extend statutory timelines. As a result, companies facing issues in responding to data subject requests should consider implementing a pragmatic plan based on available resources to provide information in phases where possible and to request an extension, when necessary and appropriate.

Business Continuity plan for COVID-19

With COVID-19 officially declared a pandemic by the World Health Organization, European governments and companies, facing unprecedented challenges, are encouraging their employees to work from home, protect their health and support government measures. The guide,”The six-step COVID-19 business continuity plan for SMEs”has been developed by the ILO Bureau for Employers”, which could be reached following the below link,is organised in two main parts. It includes a guidance for analysis,a checklist of measures for crisis management and a Business Continuity Plan. It can be used entirely or partially depending on the specific needs and stages of the situation. Maintain responsible treatment of clients and support to come up with measures to cope with the COVID-19 situation, minimize the risk of infections and insure responsible treatment of employees and agents during the crisis, minimize the risks for the institution in order to ensure business continuity during and after the crisis, proactively communicate with all stakeholders.