Well, what a year. Covid-19 has forced us all to vacate our offices and set up shop from the kitchen table. One individual who is certainly nonplussed by the change is the family cat who, in our households at least, has taken a fervent dissatisfaction to the laptops appearing and eating into their space.
While the cat’s curiosity is not going to cause a breach of GDPR (no matter how cunning they may be), there are several other data protection considerations which have reared their heads as remote working has become the norm.
Video conferencing platforms
Early on, in the first lockdown, social media was awash with rumours that one platform or another was able to be hacked or facilitated the hacking of other accounts. “Zoombombing” (where an individual hijacks a private videocall and often uses it to spread offensive images or content), a phrase none of us expected to know at the beginning of the year, is a risk we all now take steps to mitigate.
Meanwhile, several companies have been the victims of unsubstantiated gossip. The video chatting app Houseparty was so dismayed by what it believed to be unfounded rumours that it offered $1m to any user who could prove that the app was sabotaging a users’ device.
All this leaves us in an uncertain position when using video conferencing platforms. It may not seem serious at first, but calls often involve sensitive discussions which, if revealed to the wrong person, could result in a personal data breach as well as causing reputational damage.
To assist organisations, the National Cyber Security Centre has useful advice which will help you to use video conferencing services safely:
- Only download the software from trusted sources, whether that be the App Store, Google Play, or the platform’s official website (depending on your device). Avoid advertised links through search engines or links in unsolicited emails suggesting a download of a platform.
- Check the privacy settings and, where possible, minimise the data being shared. Also consider whether you need to update your privacy notices to ensure that they properly reflect the personal data which is shared with platforms you are using.
- Protect your account with a strong password. This may feel a basic step, but it’s a crucial one in protecting your account. Two-factor authentication is often available to act as an additional layer of security.
- Keep calls private, either by calling the recipient directly or sending personalised links. See if it is possible to add a password to the meeting for additional security.
- Know who is joining your call and consider using a lobby feature to double-check attendees.
- Consider your surroundings. Many of us are working in unfamiliar environments. Aside from the content of bookshelves providing a distraction from your contribution, you may also be unwittingly sharing information which you would ordinarily keep private. Platforms often have an option to blur/change the background which you should consider activating where this is a concern.
Personal computers are inherently more risky to use than a work-owned and maintained laptop. They are generally used by the wider family for purposes other than work (giving rise to a greater risk of viruses finding their way onto the device) and are often left without the latest updates and security patches.
Wherever possible therefore, laptops should be provided to staff, particularly those who work with significant amounts of personal data. Where this is not possible, mitigating steps should be taken (eg ensuring computers are updated to latest software versions, saving documents centrally rather than locally, and ensuring appropriate antivirus software is installed).
Personal emails should be avoided as any form of workaround given their susceptibility to malicious attack.
The bottom line is to use a common-sense approach. Undertake an assessment of personal data being used by individuals, consider the risk of personal data being lost, stolen or misused and its effect, and put in place appropriate measures proportionate to the risk.
Bear in mind when considering the best steps to take that personal data should be afforded a high value given the level of fines under GDPR. Erring on the side of caution may therefore be the best approach to take, even if the short-term risk seems low. A data protection impact assessment (DPIA) is a good process to through to identify the risks, assess their likelihood and severity and put in place steps to mitigate them. There is further guidance on how to complete a DPIA, together with a helpful template, on the Information Commissioner’s Office (ICO)’s website.
Breach reporting and other data protection obligations
Many organisations have rightly focused on survival through the pandemic, but compliance with obligations under GDPR haven’t been paused. Timescales for complying with breach reporting obligations and data subject access requests have continued to apply, though the ICO has been understanding of any missed deadlines so far. In September, ICO published a document setting out its revised regulatory approach in light of the coronavirus pandemic, focusing in particular on data protection and freedom of information laws. This is another step towards returning to its approach before Covid-19, but with the caveats and exceptions that reflect today’s reality. Some highlights are set out below:
- Organisations should continue to report personal data breaches to the ICO, without undue delay. This should be within 72 hours of the organisation becoming aware of the breach;
- The ICO will continue to prioritise investigations that present the greatest harm to the public and its work that is directly related to its response to the pandemic;
- The ICO will continue to take a strong regulatory approach against any organisation breaching data protection laws with the aim of taking advantage of the current crisis;
- In deciding whether to take formal regulatory action, the ICO will consider whether the organisation’s non-compliance results from the coronavirus pandemic. It may give organisations longer than usual to rectify any breaches that predate the pandemic, where this has impacted the organisation’s ability to take steps to put things right and would not create undue risks to the public. This does not, however, give a free pass to organisations to ignore their obligations under data protection law;
- Before issuing fines, the ICO considers the economic impact and affordability of the fine. In current circumstances, this is likely to continue to mean the level of fines will be reduced.
The ICO’s approach has been understanding, but it is important that breaches, access requests and other obligations are dealt with promptly.
Away from Covid…
Despite Covid, there have been significant unrelated developments in data protection law this year.
International data transfers – Schrems
The recent Schrems II judgment means that charities sharing personal data outside of the European Economic Area (EEA) will need to review their arrangements.
The “B” word is back, but as at the time of writing we have yet to confirm whether a trade deal is agreed with the EU. If it is, an adequacy decision may permit data sharing with the EEA as if the UK was still a member, but that is far from certain.
The ICO shows its teeth, again, and other data protection cases
Following the British Airways and Marriott fines issued last year, the ICO has kept relatively quiet, however it has now fined the ticketing company Ticketmaster £1.25m following a security breach which exposed customers’ personal data. As with Marriott and British Airways, the ICO is again showing that it will come down hard on organisations failing to take the security of personal data seriously. Ticketmaster is reportedly looking to appeal the ruling.
Meanwhile, in a potentially significant development, H&M (the clothing retailer) has been fined €35.3m by a German data protection authority for processing and retaining excessive information about its staff without being able to provide a lawful basis for doing so. This suggests that the data protection authorities are beginning to take a broader look at data protection compliance, levying penalties for GDPR breaches outside of the traditional fines for marketing and security failings.
Data subject access requests – new guidance
The ICO has issued clarification as to how a data subject access request can be scoped to allow for more meaningful searches to be undertaken. The guidance also goes into further detail as to how organisations should handle a data subject access request, and is therefore good reading for anyone involved in handling such requests.
We’ve flown through some of the key data protection developments this year, alongside some of the challenges faced handling Covid. We mustn’t forget that 2021 marks the third anniversary of GDPR coming into force, which is an opportune moment at which to pause, reflect and update existing data protection documentation.
The final point to make brings us back to our cats. While it might be tempting to match their sleepy persona, that sleep, alongside their scratching and cleaning, stands them in good stead for the moment when they’re required to pounce. Be more like the cat, be prepared, and GDPR compliance will be that little bit easier in the future.
Peter Parker is a partner and Nick Dunn a solicitor at Wrigleys Solicitors
Charity Finance wishes to thank Wrigleys Solicitors for its support with this article