Romolo Tavani - stock.adobe.com
The Covid-19 pandemic has forced one of the largest peacetime shifts in how we do business. Developments such as large-scale home working, and a rapid growth in e-commerce and online shopping, have changed the landscape, possibly for ever.
Digitisation has allowed businesses to continue trading, but a growing reliance on digital systems and data raises some serious questions around data protection and compliance.
Inevitably, the speed of the pandemic and the introduction of national lockdowns forced organisations to introduce new technology and new practices quickly. Sometimes, corners had to be cut. But CIOs now need to ensure they tighten up on compliance, and put measures in place to address new threats.
Regulators might have been lenient during the first few months of Covid-19, but firms should not assume that lenience will continue. “The regulators are still knocking on doors,” warns Mathieu Gorge, CEO at VigiTrust.
These are the five areas to prioritise in terms of compliance:
1. Compliance risks from remote and home working
The greatest single risk to compliance comes directly from staff working remotely, most often from home.
Some businesses were able to mandate the use of company-issued laptops, managed mobile or fixed broadband, or even virtual desktops. But others were forced to rely on bring-your-own-device (BYOD) strategies, or allowing staff to use existing personal equipment with few added security, data protection or data assurance measures.
Even when businesses already had extensive remote working technology in place, employees at home may have struggled to create a completely secure workspace while sharing with family members, including children home-schooling. Sharing of broadband and printers is also hard to avoid.
Firms should review data storage arrangements, and check that they comply with the General Data Protection Regulation (GDPR) and any industry-specific regulations. This could mean moving away from consumer cloud storage, or banning unencrypted storage devices.
“Now we have more clarity about working from home, I would hit the reset button and make sure to do things right, through policies and training,” says Gorge. “I would take the next few months to audit for any data that may have gone rogue, and take whatever corrective measures are necessary.”
2. Compliance risks from Covid measures
During the pandemic, the UK government passed laws that require organisations to collect additional data on staff, customers and visitors. The main law supports the NHS Test and Trace scheme, with venues required to keep records for 21 days, then securely destroy them.
A number of incidents have come to light where companies or staff have misused Test and Trace data for their own ends. Incidents involved electronic and paper records.
Further complications could arise from rapid testing, and vaccine status information. If businesses require customers or staff to submit proof of a Covid test or that they have received a vaccine, that data will need to be secure.
In each case, potential data breach fines and reputational damage could be significant.
3. Risks from criminals exploiting the pandemic
Organisations risk breaching regulations because cyber criminals are exploiting new ways of working, and fears around Covid itself.
Security surveys worldwide point to a sharp increase in Covid-related malware and exploits, with phishing among the biggest concerns.
While some criminal groups are actively trying to steal data – the European Medicines Agency was hacked last year – others might use social engineering to install malware for future exploits.
“Companies are finding it is harder to train and educate employees when they are not in the office environment,” says Tim Hickman, partner and GDPR expert at law firm White & Case. “So although companies will be saving money on rented office space, they need to reinvest this in training and technology and protection, otherwise they will be caught out by enforcement action.”
And although it might not put businesses directly in breach of regulations, Covid poses an added risk if customers fall victim to scams. The National Cyber Security Centre had taken down 2,000 Covid scam sites as early as April 2020. Consumer education is a worthwhile investment, and will bolster confidence in e-commerce and online services.
4. Risks from non-compliance post-Covid
Organisations acted quickly to keep running last spring. Often, this meant using technology and systems that would not be tolerated in normal circumstances. This includes the use of consumer-grade technology, and personal or second-hand equipment.
But even where businesses have replaced these emergency measures with secure and compliant systems, or asked staff to return to the office, risks remain.
According to the Data health check survey from business continuity supplier Databarracks, less than half of organisations used only company-owned devices. More worryingly, 14% of companies were storing data locally and planned to move it to enterprise systems later.
The challenge for CIOs and data protection officers is to ensure that transfer happens, and that devices or storage media are returned to the business or erased. Paper records need to be shredded. Firms also need a plan for dealing with data held by employees who leave or face redundancy.
Failure to do so greatly increases the risk of falling foul of regulations such as the GDPR.
5. Risks of enforcement ramping up
Despite Covid, regulations and regulators have not gone away. In fact, any grace period granted by regulators is now all but over.
“Organisations just need to bear in mind that the existing rules remain applicable and that they continue to be subject to the GDPR,” warns Reinout Bautz, general counsel at Zivver, a supplier of secure email technology.
VigiTrust’s Gorge warns that European regulators are carrying out more audits, and audits are becoming more granular. “It is not just regulators asking to see a programme, but asking to see the tools that manage it,” he says.
He also sees more emphasis on continuous compliance. “Just because you were not audited in 2021, don’t assume you won’t be audited in 2022,” he warns.
And, although few new regulations have emerged during the crisis, experts expect more countries to tighten up data protection regulations. Those that don’t have their own laws are increasingly looking to the GDPR as a template.
CIOs and data protection officers should review their regulatory exposure now, to ensure they are not caught out.
Read more on compliance and the pandemic
- Five ways that disaster recovery changes in a pandemic. Covid-19 has changed IT. Previously, working remotely was a business continuity measure, but now it is the norm. That means disaster recovery has to adapt to new risks and new ways to respond.
- Podcast: Covid-19, remote access, storage and compliance. We talk to Mathieu Gorge, CEO of Vigitrust, about ensuring access and compliance for organisations that need to massively ramp up remote working during coronavirus social distancing.