CORPORATE | 07.03.2020
How does the new reality affect the protection of personal data?
Personal data protection is an issue viewed by most governments as particularly important, given that it involves private information that must be used lawfully, fairly and transparently. A good example of its value in democratic countries is the European Union, where personal data is zealously protected.
In the current worldwide pandemic, this issue has been affected by a situation that has created a state of alarm in some countries, where personal freedoms have been limited in an effort to achieve a greater good: stopping the spread of the virus.
Now, after several months of lockdown and with countries still experiencing peak levels of infection, a number of factors are affecting the right to personal data protection. How do the medical tests and checks being conducted conflict with this right? What steps do companies need to take to comply with existing regulations when implementing remote working for many of their employees? And finally, what should small businesses that have decided to open online stores do to counter their losses now they are unable to make physical sales as before?
Controlling the disease
On the first matter, companies are currently able to process the health data of their employees with the aim of protecting workplace health and safety. The AEPD (Agencia Española de Protección de Datos — Spanish Data Protection Agency) makes this clear. The agency is governed by the GDPR (General Data Protection Regulation) developed by the European Union, which is one of the world’s most advanced regulations in this area.
“Pursuant to health, labor and, in particular, occupational risk prevention regulations, employers may process their employees’ data—in accordance with the aforementioned regulations and the guarantees they establish—insofar as necessary to ensure the health of their employees and to adopt the necessary measures of the competent authorities. This also includes ensuring the health protection rights of other personnel and preventing infections within the company and/or workplaces that may spread the disease to the entire population,” explains the AEPD.
Moreover, employers can design the necessary contingency plans provided for by the health authorities. Naturally, these processes must comply with data protection regulations at all times. While the AEPD itself states that “to comply with coronavirus pandemic decisions made by the competent authorities, in particular health authorities, data protection regulations should not be used to hinder or limit the effectiveness of measures taken by these authorities in the fight against the pandemic.” Both the AEPD and the EDPB (European Data Protection Board) have also pointed out that the lawfulness of such processing must be underpinned by legitimate reasons for its use, ensuring at all times the proportionality of the measures to be taken by the employer. The measures chosen must always be the least intrusive for the subject and comply with the principles required by the GDPR.
Working remotely has boomed during lockdown. This modality not only improves employees’ work-life balance but also minimizes environmental impact and even provides savings for businesses. In fact, up to 40 percent of workers in the EU have had to continue working in this way during lockdown, according to a study by the European Foundation for the Improvement of Living and Working Conditions. This has also occurred in Latin America, where 40 percent of organizations have had 80 percent of their workforce working remotely, according to a study by consulting firm PageGroup and echoed by eltiempo.com.
However, large companies, SMEs and the self-employed need to bear in mind that remote working is not about providing a laptop to workers and leaving them to perform their usual tasks from home. Instead, appropriate security measures must be taken to ensure data protection and avoid security breaches.
Remember that the GDPR already establishes a series of measures for organizations to take, such as appointing a data protection officer in certain cases, keeping a processing log, risk analysis and establishing mechanisms and procedures for the management of security breaches, among other things.
It is therefore vital that remote workers have the right tools to make their work completely secure, especially for those who process client or employee data. In the latter case, any loss or improper processing of information could result in significant penalties (up to 4 percent of the company’s annual turnover).
For this reason, both data protection agencies and security and technology specialists emphasize the need to use work tools that have all the security guarantees, especially those used for sending messages and information, and for file sharing.
The AEPD has issued a statement with a number of recommendations for remote working along these lines. It recommends that data controllers define an information protection policy for mobile situations, choose reliable and assured service providers and solutions, restrict access to information, periodically configure equipment and devices used in mobile situations, monitor external corporate network access and rationally manage data protection and security.
For personnel involved in data processing, i.e. employees, the AEPD recommends respecting the information protection policy defined by the relevant manager for mobile situations, protecting the mobile device and access to it, guaranteeing protection of the information being processed, storing information in the appropriate network spaces and, if there is a suspicion that the information being processed may be compromised, reporting the security breach immediately.
New business models
Another consequence of the COVID-19 pandemic has been the shift of many companies toward new business models in which everything digital becomes particularly important. Restrictions on movement and capacity have led to online stores opening to counteract the reduced number of clients.
As with remote working, companies that turn to eCommerce must always comply with both personal data protection regulations as well as information society services and eCommerce regulations.
Technological support is needed to facilitate these objectives. SMEs and the self-employed often have fewer resources, but this is no reason to neglect compliance. As Borja Pérez, CEO of ITWISE Technology Services explains, “the technologies most recommended to comply with the various aspects of the GDPR, which companies should adopt, are to have at least one on-premise and one cloud backup in order to recover data that has been tampered with or erased due to intrusion or data loss; use a secure video conferencing tool for remote work that complies with relevant security recommendations (meeting access control, document sharing precautions, etc.); have a VPN connection for secure remote access and to protect against intrusion; install properly updated anti-virus or anti-malware on all work stations, and of course, ensure that users have strong passwords for proper access control and legitimacy.”
In short, it is about adapting to the new times in the best possible way, while respecting the regulations already in place.