Indeed, the measures imposed by the Governments, on a global level, to prevent the spread of the COVID-19 have, inevitably, caused the interruption of everyday procedures followed by organizations internationally.
Upon the fight against the COVID-19, and in an effort to reduce the said negative impact of “business as usual”, the vast majority of organizations introduced, for the first time, a variety of forms and degrees of remote work to maintain a company’s sustainability.
Undeniably, a solid attempt of the companies to limit the physical presence of the employees to the offices was demonstrated the past few weeks.
However, this implementation of remote work ethics to the employees entails the preparation of the organization to adjust and act accordingly, especially in relation to the personal data protection risks, since the threats that may arise from the use of technology during remote working are sufficiently large.
In case the organizations do not engage the necessary measures, then sudden risks and consequences might be moved stealthily against the organization.
Hence, there are justified concerns on how to maintain compliance with the EU General Data Protection Regulation (hereinafter referred to as the “GDPR”) during this crisis.
The GDPR was established to ensure that each and every legal entity that process personal data are held responsible for the safeguarding of the fundamental right of a person to the protection of their personal data.
Specifically, according to the GDPR, the company shall ensure the minimization of the risk for a potential personal data breach that might lead to the unintentional or unlawful access, loss, alteration, and unauthorized interruption or disclosure of personal data, which as processed or stored by the company.
Such personal data breach includes, but is not limited to, when an unauthorized disclosure or leak occurs and a third party obtains personal data without the prior necessary permission and also when the relevant access to the personal data is lost by the company. To this point, noted shall be that serious breaches that might occur due to the non-compliance of the legal entity with the Regulation can be punishable by fines of up to EUR 20million or the 4% of the worldwide total revenue of the legal entity for the preceding financial year, whichever is greater.
Thus, the GDPR demanded the implementation organizational and technical measures by a company, in such extent and degree, to ensure the protection of personal data, always in accordance to the regular risk assessments executed by the legal entity.
So, what happens in case the company did not have the appropriate time to comprehensively assess the impact of the “remote working” risks prior its implementation to the employees?
A brief risk assessment of the potential company’s threats stipulates that the number one enemy of a legal entity for maintaining its compliance with the GDPR is the unsecured networks.
This is solely because the employee, who is working remotely, is no longer using the secure corporate network that provides the relevant firewalls and encryption and therefore, there is vulnerability of the company to control the features that the employee is using.
In addition, and considering the unexpected outbreak of the COVID-19, it should also be noted that most of the companies did not have the relevant equipment and the employees were called to enforce the BYOD (Bring Your Own Device) policy.
The BYOD policy increases the lack of control of the company and thus, the company’s vulnerability to potential data breaches, due to viruses or malware, enlarges.
Last but not least, noted shall be that the human factor is the weakest link of any safeguarding measure that may be adopted.
Having said the above, the compliance of a legal entity with the GDPR can be argued as of a paramount importance and a company shall adopt all possible measures necessary to maintain such compliance during the COVID-19 outbreak, according to its needs.
Since the needs of an organization for the GDPR compliance may vary upon the nature of the business or the personal data that possess or process, we invite you to discuss further the matter on a case by case scenario.
At Chambersfield Economides Kranos law firm we can advise you and provide you with the solutions for an accurate compliance with the GDPR.
You can contact our law firm for further information.