• GL
Choose your location?
  • Global Global
  • Australian flag Australia
  • French flag France
  • German flag Germany
  • Irish flag Ireland
  • Italian flag Italy
  • Polish flag Poland
  • Qatar flag Qatar
  • Spanish flag Spain
  • UAE flag UAE
  • UK flag UK

Supporting clients with critical Data Protection and Cyber Security issues

17 March 2020
Hands on keyboard with lock symbols
The COVID-19 international health crisis is creating unprecedented challenges for all organisations, with much uncharted territory ahead. Clients will want to prioritise their activities to ensure that the most critical issues are addressed ahead of less important ones, taking account of a likely backdrop of reduced resources and free cash.

DWF's Data Protection and Cyber Security team are mindful of these realities and are able to provide clients with rapid, no-nonsense critical support on the following matters:

Legal 'myth-busting': 

Accurate assessments of national and international legal requirements and rights and obligations concerning the handling, use and security of personal data and the digital environment, to enable speedy decision-taking about issues such as:

  • Tracking and monitoring of worker health and well-being, including the sharing of data within company groups and with third parties, such as health care professionals and the authorities.
  • Triaging, delaying or extending compliance with time-limited matters, such as Data Subject Access Requests (DSARs).
  • De-scoping compliance deliverables, such as Data Protection Impact Assessments and Legitimate Interests Assessments, to cover 'bare bones' essentials.
  • Enabling remote and agile working, including the speedy adoption of collaborative working technologies using common-sense controls.

Staff augmentation:

The provision of virtual and remote support, to cover resource gaps due to isolations and illness, including acting as temporary Data Protection Officers and EU Representatives.

Essential, defensible accountability: 

The performance of 'must-have' compliance tasks at a minimum level of quality commensurate to the resource levels available, such as risk assessments and other Privacy by Design requirements, so that in the future the organisation can defend its positions taken today.

Incident response:  

Assistance with the core requirements of incident response for personal data and cyber security requirements, including breach communications, so that the risks of loss and damage are reduced to the lowest levels reasonable to the circumstances we are now dealing with and to ensure that legal privilege is maintained.

Minimum Security Requirements:

Identification of the essential controls that should be adopted in agile working environments, including for the deployment of new business processes and technologies.

Quick-fire Q&A:

Barrier-free access to our experts, for here and now soundings, advice and recommendations. Contact details are below.

Ten ideas to support Data Protection and Cyber Security

  1. Data Protection law does not prevent the taking of reasonable actions for public and workplace health and safety. However, as the UK and Irish data protection regulators have reminded us, our choices need to be proportionate, so if anything new or unusual is to be done with personal information for public health purposes, reasons should be recorded, to provide a record of management thinking. Where employers are recording information about infected workers, there is still an expectation that personal data will be minimised, while the UK Information Commissioner advises that 'you probably don’t need to name individuals' when updating colleagues about infections in the workplace. We feel that limited identifications could be justified to support the wellbeing of others in the workplace, although 'need to know' parameters would have to be identified. 
  2. The regulators understand that breaching some legal time limits might be unavoidable due to resource constraints. The UK and Irish regulators have indicated that they will be sympathetic to the impact that resource challenges can have on the ability of organisations to keep up with the time limits allowed for handling Data Subject Rights requests. Organisations that feel they are falling behind schedule with responses would be wise to manage people's expectations and they should aim to track progress made. Many organisations maintain website pages on data protection for the public, which could be used to keep the public generally updated about overruns.
  3. Homeworking hygiene is achievable for safe and secure operations. To increase legal and operational resilience levels, homeworkers should be reminded of the essential 'dos and don'ts' of data protection and cyber security, such as being wary of email and telephone phishing attacks; being careful with paper files and records; not leaving laptops and other devices on and unattended, or lending them to others; and avoiding 'shadow IT' risks, e.g., self-procuring software, apps and devices for work without their employers' permission. Contacts and reporting channels for suspected incidents should be shared, perhaps utilising intranet home pages for high visibility.
  4. Incident response in a lock-down situation.  Many organisations' playbooks for handling serious incidents will have assumed that named, key personnel will be present and able to come together physically in a war-room environment to see the problem through. The current situation challenges these kind of assumptions, so it might be sensible to review incident handling procedures now, in contemplation of a national 'lock down' situation, or increased instances of self-isolation, to understand their suitability and to see if they could benefit from being simplified or streamlined. 
  5. Notifying and reporting breaches is still an imperative. When attention is concentrated on other priority issues it would be easy to lose sight of the purpose of breach reporting, the central goal of which is the reduction of harm, loss and damage. Neither the UK nor Irish data protection regulators have green-lighted breach notification delays. It should also be kept in mind that additional reporting obligations will still apply under cyber security law, under sectoral regulatory law, under contracts and for listed businesses. Suppliers should keep in mind their obligations to their enterprise customers.
  6. Remembering third party Due Diligence.  It's possible that many organisations will have to source temporary workers to deputise for absent colleagues, or find additional suppliers to cover gaps in the supply chain, while movement to agile working might involve the deployment of new technologies at speed. Reasonable Due Diligence should still be performed, but it might be possible to speed-up critical risk assessments by focusing them on high priority risk areas, while remembering that large vendors are likely to have answers ready to hand on major issues like cyber security. 
  7. Continuing with important business projects that are actually optional. The indulgences that organisations might receive from the regulators for delays in handling challenges like Data Subject Rights requests may not be forthcoming for truly optional business activities that deliver sub-optimum data protection and cyber security outcomes because of resource constraints. It might be helpful for organisations to review in-flight projects to understand whether they are potentially at risk, to identify risk mitigation options, including delays to 'go live' dates.
  8. Key people analysis and appointment of deputies.  Lots of organisations maintain RACIs, which clarify and define important roles and responsibilities on projects and processes, showing who is responsible for an action or task, who is accountable for signing off completion of an action or task, who needs to be consulted and who needs to be informed. Use of RACIs, or echoing of their purpose, may help organisations to track critical governance weaknesses in data protection and cyber security resulting from absences and the smart reallocation of duties to deputies and stand-ins.
  9. Records management processes to lessen over storage and mishandling risks. Data volumes, including duplications, can grow exponentially in an agile environment if records management processes are overlooked, which can lead to immediate and downstream risks. Reminding workers of records management policy requirements is a simple, low cost compliance and risk management step that all organisations can take.
  10. No regret activities. Identifying other simple, low cost 'no regret' activities may pay dividends downstream and once the list is created it can be published on the intranet and through other internal communications channels, alongside the reminders for security.

For help and support, please contact:

Further Reading