Compliance in Time of Crisis: Getting Data Protection Right
From companies to consumers, the arrival of coronavirus has rattled everyone. But while it’s affecting us all in different ways, there are some general trends that aren’t difficult to spot. One of them is that everyone is clamoring for information about how they can protect themselves and more people than ever are working from home.
And even if GDPR principles aren’t your top concern at the moment, it pays to at least keep it in the back of your mind. With all the data flying around, compliance during a crisis can save you some serious grief down the line. If you’re not planning to read any further, you should know that you can never over-comply in a time like this.
Compliance in the News
You may have heard by now that the rules are being relaxed right now in order to account for the immediacy of coronavirus. This new normal is by no means defined though, and largely contained to health-related data. So the core issue is how you’re planning to use your data within your organisation.
- If you’re planning to repurpose your existing information, how compatible is the old goal with the new one?
- Is the data you’re sharing personal information? Can your data be somehow traced back to any one individual?
- Are people being informed that their data is being used? Do they need to be informed under compliance laws?
- Under what laws are you processing and sharing data?
The last question is definitely up for debate at the moment, with some worried that the lack of protection and transparency during the crisis will make it more difficult to get back on track once things get back to normal.
Theory Meets Practice
When nearly every news article highlights how little we understand about the virus and its effects, confirmed information becomes that much more valuable. Those within your organisation likely want to know where colleagues have traveled, whether certain at-risk individuals have been tested, and what the results were. This is understandable, especially considering it can take up to 14 – 15 days for symptoms to manifest.
However, is it right that your organisation should be cataloging and archiving this information? Should the data be archived at all? It’s not necessarily your place to share this information and, even if it is, the delicate nature of it is a compliance minefield. Having the right framework can make it easier to process the data in a way that protects everyone.
Setting the Foundation
Purpose limitation is there to keep the individual’s data safe from exposure, but not at the risk of endangering other people. And speaking of the individual, GDPR principles cannot stress the importance of accuracy enough. If specific information can be related back to a person, it’s considered personal data. If you happen to get any of the facts wrong, the consequences can be disastrous.
The real lesson to be learned is that a solid compliance foundation can go a long way to answering the questions posed by both this pandemic and any new crisis that pops up. (Because new crises will pop up.) GDPR principles may not have been able to predict the coronavirus, but its basics outline the skeleton we need to get to the root of the problem.
The Goldilocks Conundrum
The complications of data collection can make some leaders want to wash their hands of it. But there is danger in this approach too. Collect too much personal data, and you risk compliance violations. Collect too little though, and you expose yourself to risk there too.
A good GDPR policy will explain who is encompassed, who processes the data, and the basic rights of each person. This can help your staff understand more about what is being collected, why it’s necessary, and how it’s being safeguarded from the wrong eyes.
So when it comes to archiving and storing the information your organisation collects (including email and messaging data), you still need to be mindful of who has access to this information and how it could potentially be breached. This delicate balancing act can be done without the help of specialized software, but the odds of a violation are much higher if the framework is flimsy.
An Easier Question
Beyond the crucial principles of integrity and confidentiality, the flexibility of your compliance policy has a lot to do with how well it will perform under stress. Ask yourself how many bumps there were when you implemented a work-from-home policy? Were you able to streamline it fairly easily or were there miscommunication misfires everywhere you looked? Were you able to change the data mapping so you could keep up with purpose limitations? How was data shared when all those access requests started pouring in from people’s homes?
If you can’t honestly give your organisation top marks for the transition, it may be time to rethink your policies. Remember, this is not just about upper management, this is about every member of the staff at every level of the organisation.
The goal of a strong protection framework is that it’s durable enough to stand up to the pressure, whether it’s before, during, or after a crisis. As servers are faltering under prolonged use and hackers plot their next move, your regulation software needs to be able to hold its own in the storm. As we all adjust to communication in the time of a health crisis, you may need to ask some questions about the information you’re using and how exactly you’re using it.
PrivIQ is a compliance software that was built on the back of principles designed to protect people — no matter what’s happening in the world. When you book a demo, you can see how your organisation can follow the rules without having to devote hours of frustration to interpreting every clause of the law. There’s no need to panic about your GDPR policy, regardless of your industry or specialty. It’s all about finding a better solution that’s built for real life.