Some have called it the “new normal”. Others speak of the “Post-Covid world.” More positive and hopeful voices tell us that the Covid-19 pandemic, while painful, is but a temporary hiccup in the history of humanity. Whatever the truth of the matter it is clear that some aspects of our behaviour have changed significantly, and that these changes may have a lasting impact on society.
In February 2020, only a few weeks before EU nations began locking down, NOYB, a non-profit organisation led by the privacy activist Max Schrems, announced that it had lodged a complaint against Amazon with the data protection authorities in Germany. The complaint was filed under the GDPR and alleges that Amazon’s internal email security is weak. NOYB claims that the system does not have the ability to encrypt emails sent between Amazon’s third-party sellers and its clients.
It is no secret that in the weeks that followed this announcement, more and more consumers took to their keyboards as shops closed and travel was restricted due to lockdown. This may lead to a longer-term, and sizable, shift in retail practices. Vulnerable people in particular now feel safer ordering their purchases online. Others have discovered, through the initial necessity of lockdown, that they do not miss the crowds and queues of the high street and enjoy the convenience and time-saving of ordering products from the comfort of their own homes.
With increased traffic, however, comes increased risk. The NOYB case against Amazon (still pending at time of writing) is therefore particularly relevant in a world that is still getting to grips with the changes enforced by the Coronavirus pandemic and indeed with the GDPR.
While it must be acknowledged that the spike in online shopping has been unprecedented, the fundamental nature of business has not changed for such retailers. They must get to grips with the increased volume of traffic, and the security risks that it brings, but their model of commerce has not changed. Additionally of course, while relevant to it, the NYOB case against Amazon pre-dates the current crisis.
Other sectors are grappling with radical change to their working environment. With little prior notice, millions of people around the world suddenly found that were required to work from home. Interestingly, many have found that they can perform their role equally well, if not in fact more efficiently, from their own home via laptop and telephone than in the office. The Brookings Institution’s Katherine Guyot and Isabel V. Sawhill perhaps described the circumstances best in writing that it was proving to be “a massive experiment in telecommuting.” The result of that experiment is likely to be that a significant proportion of those workers will choose to continue to work from home, either full-time or a number of days a week, even after the pandemic has subsided.
“Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.”
Jürgen Stock, INTERPOL Secretary General
As smoothly as the transition to working remotely has proven for many businesses, some problems have begun to emerge. In early August 2020, an INTERPOL assessment of the impact of COVID-19 on cybercrime reported a notable target shift from individuals and small businesses to large corporations together with governments and infrastructure.
Businesses were obliged to deploy remote systems and networks to support staff working from home with great haste, and criminals have taken advantage of increased security vulnerabilities that resulted from this rapid changeover in order to steal data, cause disruption, and generate profits for themselves. INTERPOL has also warned that incidents of such cybercrime are likely to increase in number and regularity in the near future.
It goes without saying that the GDPR applies to the treatment of data whether that work is being carried out in an office or an employees living room. The rules remain the same, but many businesses are now facing the new challenge of ensuring that staff working remotely continue to be GDPR compliant.
At this stage, your company may already have embarked on its journey toward full GDPR compliance. Staff should have received instruction in the basic procedures for gathering, treating and protecting data, and a Data Protection Officer and (if necessary) a European Representative appointed. These, and other procedures, remain largely unchanged whether employees are working on site or at home. What might be different is the level of security that is currently maintained, or indeed available, concerning data that is processed remotely.
Are you staff using company or personally owned computers? Is any other work carried out, or data stored, on said device? Does any other member of the household use it? Is it adequately protected?
These are concerns which normally would not apply to desktop computers on your premises, the security of which is more practical to manage. A dramatic switch to distance working, introduced more or less overnight, undoubtedly therefore poses numerous problems. It may not have been feasible to provide all workers with a company laptop immediately. There was little time to train staff in new procedures. It is an uncertain time for business, and indeed for life in general.
In the first few months following its introduction, many commentators felt that authorities were providing businesses and organisations with a certain ‘grace period’ in order to get up to speed with their GDPR compliance before issuing fines to the full extend that the legislation allows (€20 million or 4% or annual turnover, whichever is greater). That grace period has long since passed, however, and it is very clear that the authorities mean business. GDPR compliance is not optional.
Given the difficulties being faced by companies struggling to re-order their work practices in the face of Covid-19, is it possible that the authorities will take a more lenient view of infringements that occur as a result of security lapses involving distance working? It is possible, yes, but perhaps only for more minor infringements. When large amounts of personal data are exposed, individuals need to be compensated and wrongdoers have to pick up the tab. The bottom line is that telecommuting workers owe the same duty of care to data subjects as they do when in the office.
Security when working from home
Steps to ensure cyber security for workers who have recently begun working remotely should, as a minimum, include the following:
- A review of all privacy and security policies together with related procedures. Your company should audit, and if required enhance, its policies and procedures to ensure that they sufficiently address present operations.
- Modernise staff training to reflect the challenges of today. To guarantee that personnel are fully informed of their privacy and security obligations in the Covid-19 age, regular training on company policies should be provided and then circulated via the company intranet or staff email. This training needs to be practical and reflective of today’s virtual environment; include the usage of secure collaboration tools, how to identify Coronavirus phishing emails and scams, and the safe disposing of paper records at home.