The Covid-19 pandemic’s impact on remote work has placed an unprecedented burden on already resource constrained IT teams. Rapid onboarding of vendors and new technology roll-outs have opened a Pandora’s box of providers and novel risk exposures to evaluate. At the same time, the burden of maintaining compliance with data privacy laws like Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) is increasingly falling on IT’s shoulders.
The nuances of data privacy and data protection regulations may feel like foreign territory for many IT teams. Indeed, they typically fall under the leadership of legal or compliance stakeholders. Still, the existing and emerging laws are introducing a new set of considerations for IT teams to address when sourcing, deploying, managing or sunsetting systems and working with third-party providers.
This article includes five key tips for IT teams to better understand the obligations and support their organization in a stronger data privacy compliance position.
- Understand the privacy and security implications of the current systems or collaboration applications that have been added to the environment to enable work from home. Corporations are more reliant upon collaboration tools than ever before, and most likely, not all the tools being used have been properly vetted or even put on IT’s radar. Privacy-sensitive information may be generated, stored, processed or shared via these tools outside the realms of existing data privacy policies and controls. Encryption standards and security protocols vary widely from provider to provider. A serious and comprehensive audit and risk assessment is needed to understand the potential privacy and security gaps in newly onboarded or expanded applications processing and/or storing personal or business critical information. Protection and governance around applications and systems are additional obligations that need to be addressed to maintain privacy compliance.
- Get a reality check on the privacy laws that apply to the regions where remote employees or contractors are living and working. In many ways, the new rules of the workplace are being rewritten in real time. With employees working from home, especially if they reside in regions with stringent data privacy laws, extra precautions may be needed to avoid legal and regulatory violations. For example, if the company is using monitoring software to track employee work or proctor an exam, additional consent documentation may be required. Understand the scope of use, be transparent and work with legal and HR to properly document consent and other necessary employee and applicable supplier agreements. Moreover, it is important to remember that the collection, storage and use of personal data or personal information, generated from security or monitoring tools (like biometric data or camera recordings), may be subject to multiple privacy regulations, and thus must be managed according to the company’s privacy and compliance policies. These regional considerations also extend to third parties, and IT must have visibility into how a third-party’s distributed workforce might affect the regions through which company data is flowing. These factors can directly impact compliance obligations, data mapping, contracting and other privacy-related issues.
- Establish a knowledgeable governance conduit between IT and legal. Global data protection laws vary widely from country-to-country, and in the U.S., states are introducing or exploring unique regulations. Keeping up with these disparate and nuanced laws is a challenge. Companies that have already established a privacy committee across multiple business units have a good start, and should lean on that team while navigating privacy risk. In the absence of a dedicated committee, stakeholders should appoint an individual with information governance, data privacy and technical knowledge to serve as a conduit between IT, legal and compliance, with access to the C-suite level to effectively communicate risk and the issues being addressed.
- Assess whether the new work from home infrastructure impacts company compliance with personal privacy and civil rights. For many people, working from home also means working beside roommates, partners and children. If video meetings or conversations are being recorded, the likeliness of voice, video or other potentially sensitive information of other persons within the home may be inadvertently captured and processed. Similarly, sensitive data belonging to different companies may become intermingled when household members are sharing the same physical space or devices for work. These variables have the potential to create complicated issues or disputes around personal privacy, civil liberties and IP loss.
- Keep vendors accountable. Now is a good time to revisit certifications and service level or accountability agreements with third parties. Take time to examine the details of changes to vendors’ data protection practices and query regarding any applicable breaches that have occurred. Understand how third parties are maintaining business continuity, and whether that impacts the handling or location of your company’s data. Partner with legal and privacy teams to ensure they fully understand the types of data being transmitted or processed and the access level the vendors have to it. This effort can include conducting Privacy Impact Assessments and issuing updated and extensive Standardized Information Gathering Questionnaires to vendors, modifying existing Data Protection Agreements and revising service level agreements to adapt to new remote workforce challenges and needs.
IT’s participation in data privacy compliance must be a priority. IT teams that work strategically and collaboratively with privacy, legal and compliance leaders through every workplace transition and at key technology decision points will go a long way in helping reduce risk for their organization.
Tracy Edwards and Jon Ringler, FTI Consulting