Top five threats to compliance during the pandemic

1. Compliance risks from remote and home working

The greatest single risk to compliance comes directly from staff working remotely, most often from home.

Some businesses were able to mandate the use of company-issued laptops, managed mobile or fixed broadband, or even virtual desktops. But others were forced to rely on bring-your-own-device (BYOD) strategies, or allowing staff to use existing personal equipment with few added security, data protection or data assurance measures.

Even when businesses already had extensive remote working technology in place, employees at home may have struggled to create a completely secure workspace while sharing with family members, including children home-schooling. Sharing of broadband and printers is also hard to avoid.

Firms should review data storage arrangements, and check that they comply with the General Data Protection Regulation (GDPR) and any industry-specific regulations. This could mean moving away from consumer cloud storage, or banning unencrypted storage devices.

“Now we have more clarity about working from home, I would hit the reset button and make sure to do things right, through policies and training,” says Gorge. “I would take the next few months to audit for any data that may have gone rogue, and take whatever corrective measures are necessary.”

2. Compliance risks from Covid measures

During the pandemic, the UK government passed laws that require organisations to collect additional data on staff, customers and visitors. The main law supports the NHS Test and Trace scheme, with venues required to keep records for 21 days, then securely destroy them.

A number of incidents have come to light where companies or staff have misused Test and Trace data for their own ends. Incidents involved electronic and paper records.

Further complications could arise from rapid testing, and vaccine status information. If businesses require customers or staff to submit proof of a Covid test or that they have received a vaccine, that data will need to be secure.

In each case, potential data breach fines and reputational damage could be significant.

3. Risks from criminals exploiting the pandemic

Organisations risk breaching regulations because cyber criminals are exploiting new ways of working, and fears around Covid itself.

Security surveys worldwide point to a sharp increase in Covid-related malware and exploits, with phishing among the biggest concerns.

While some criminal groups are actively trying to steal data – the European Medicines Agency was hacked last year – others might use social engineering to install malware for future exploits.

“Companies are finding it is harder to train and educate employees when they are not in the office environment,” says Tim Hickman, partner and GDPR expert at law firm White & Case. “So although companies will be saving money on rented office space, they need to reinvest this in training and technology and protection, otherwise they will be caught out by enforcement action.”

And although it might not put businesses directly in breach of regulations, Covid poses an added risk if customers fall victim to scams. The National Cyber Security Centre had taken down 2,000 Covid scam sites as early as April 2020. Consumer education is a worthwhile investment, and will bolster confidence in e-commerce and online services.

4. Risks from non-compliance post-Covid

Organisations acted quickly to keep running last spring. Often, this meant using technology and systems that would not be tolerated in normal circumstances. This includes the use of consumer-grade technology, and personal or second-hand equipment.

But even where businesses have replaced these emergency measures with secure and compliant systems, or asked staff to return to the office, risks remain.

According to the Data health check survey from business continuity supplier Databarracks, less than half of organisations used only company-owned devices. More worryingly, 14% of companies were storing data locally and planned to move it to enterprise systems later.

The challenge for CIOs and data protection officers is to ensure that transfer happens, and that devices or storage media are returned to the business or erased. Paper records need to be shredded. Firms also need a plan for dealing with data held by employees who leave or face redundancy.

Failure to do so greatly increases the risk of falling foul of regulations such as the GDPR.

5. Risks of enforcement ramping up

Despite Covid, regulations and regulators have not gone away. In fact, any grace period granted by regulators is now all but over.

“Organisations just need to bear in mind that the existing rules remain applicable and that they continue to be subject to the GDPR,” warns Reinout Bautz, general counsel at Zivver, a supplier of secure email technology.

VigiTrust’s Gorge warns that European regulators are carrying out more audits, and audits are becoming more granular. “It is not just regulators asking to see a programme, but asking to see the tools that manage it,” he says.

He also sees more emphasis on continuous compliance. “Just because you were not audited in 2021, don’t assume you won’t be audited in 2022,” he warns.

And, although few new regulations have emerged during the crisis, experts expect more countries to tighten up data protection regulations. Those that don’t have their own laws are increasingly looking to the GDPR as a template.

CIOs and data protection officers should review their regulatory exposure now, to ensure they are not caught out.