The ICO has remained vigilant when issuing fines to companies that have suffered data breaches. In July 2019, the ICO issued a notice of its intention to fine British Airways a record GBP183.39 million for infringements of the General Data Protection Regulation (GDPR), although the process remains ongoing – with BA’s cooperation – and no final penalty notice has so far been issued.
By Owen Morris (pictured), operations director at Doherty Associates – The ICO has remained vigilant when issuing fines to companies that have suffered data breaches. In July 2019, the ICO issued a notice of its intention to fine British Airways a record GBP183.39 million for infringements of the General Data Protection Regulation (GDPR), although the process remains ongoing – with BA’s cooperation – and no final penalty notice has so far been issued.
Despite challenging conditions, it’s never more important to be GDPR compliant, particularly in private equity, with the majority of fund management teams working remotely and the risk of information being mismanaged at a critical high.
Most firms have adapted to and continue to provide a higher degree of remote working due to the new Covid-secure office environment. It’s important therefore to ensure that risk assessments are updated as part of this process, with changes identified and impact on regulatory requirements considered.
The data protection impact assessment (DPIA) is a key tool for assessing changes to working practices that involve processing personal data under Article 35 of the GDPR. An assessment should be undertaken for any major alteration in circumstances – such as the lockdowns and restrictions we are experiencing now.
The ICO publishes a nine-step process for DPIAs, which involves identifying where personal data is processed; considering the necessity for processing, identifying and mitigating risks, controlling them and updating on any change in circumstances.
In the pandemic workplace, corporate assets are more likely to be in non secure locations outside the office firewall. Also, the vast majority of the company is likely to be working remotely. Some may be using their own devices to access corporate information and all will be potentially vulnerable to social engineering type attacks in their home environments. Partner and associate companies and suppliers are also working in the same way and thus the risk profile due to remote working is even higher.
What to consider when performing a DPIA:
- Can personal data be present on devices in the employee’s home? Is there sufficient physical security or do technological controls such as full disk encryption need to be put into place?
- If a personal device is being used, does it meet corporate requirements for antivirus and malware protection? Is it used by multiple family members?
- If VPN technology is used it can provide a route direct to a network. Are appropriate controls in place to ensure that the person signing in is authorised? Implementation of multi-factor authentication is strongly recommended.
- Is there increased risk due to internet usage on devices at home? Can you prevent access to sites hosting malware using the same policies used in the office – some unified threat management firewalls offer this facility.
- Is there additional use of cloud-based storage or new software-as-a-service systems that contain personal data
- Consider other types of data storage too – can paperwork be stored or disposed of appropriately?
- Are there any new sources of personal data processing caused by the changes put in place?
- Does the increased use of video conferencing require a change to your privacy policies or any new consent?
If additional controls need to be put in place, there are several relatively simple to implement things that will reduce risk:
- Implementing multi-factor authentication for all system access. With dispersed devices, ensure your employee identity by proving that as well as passwords they can verify themselves via different methods to prevent access to systems such as email, VPN and cloud storage
- Ensuring that any device has full-disk encryption. If a device is lost or stolen, an appropriate technological control is in place that could prevent the need to notify the ICO
- Having a mechanism to enforce corporate standards for devices connecting to locations that could contain personal information ensuring that appropriate antivirus and malware protection is used and disk encryption is in place
- Consider using watermarking or labelling technologies to track personal information in documents. This can be used as part of a data loss prevention strategy
- For data that can shared with untrusted devices in another company, investigate using document encryption (“Rights Management”) software to protect all documents in a specific location
- Consider using conditional access solutions to restrict access to documents to trusted companies based on their identity
Once changes have been identified and controlled, make sure that your data subject access process can identify and search data in any new locations, especially cloud systems such as Microsoft 365. Check what search facilities are available. Consider also consolidating as many of your solutions with one vendor so searches and policies can be maintained in as few locations as possible.
Lastly, one major source of personal information that many companies have not considered is the growth of videoconferencing as part virtual working lives. Video content may contain personal information both in the content of the video and also concerning the meeting attendees, who may be both in or outside your organisation. Having appropriate tools to search and query this data should be a key driver when looking to standardise on a video platform. Automatic transcription of meeting content for search is an extremely valuable feature.
