The Data Protection Implications of COVID-19


Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Wednesday, October 7, 2020

The COVID crisis forced major upheavals in how businesses acquire, use and manage their data, creating fresh risk when following data protection regulations. All data security leaders and managers should be aware of the implications and plan accordingly.

Article 4 Minutes
The Data Protection Implications of COVID-19

Governments have launched various COVID apps, with some creating outcries over data privacy issues. The widely-adopted Apple/Google approach featured anonymized use of data, but some government developers wanted to access identifiable information that could be shared with other agencies.

Consequently, when COVID test results were made publicly visible, reports of data breaches in several countries, scam emails and fraudulent test requests undermined the legitimacy of official efforts, adding to the global worry.

If governments and state agencies can misread the data landscape so badly, what hope is there for businesses, forced to adapt and change how they operate in a bid to remain viable?

The best of privacy in a bad situation

The crisis highlighted plenty of shortcomings in existing business practices and demonstrated ways to create better solutions when it comes to data management.

Many businesses found they lacked sufficient knowledge or people in key data and privacy roles, while others made changes that delivered better solutions as part of wider IT packages. There was also plenty of information sharing among professionals.

Globally, governments are helping by providing a range of information, one example being the UK’s Information Commissioner’s Office and their pragmatic approach;

“We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate - if something feels excessive from the public’s point of view, then it probably is.”

But that doesn’t mean a free-for-all among businesses and operators looking to take advantage of data. The triggers of greatest concern to cyber security and data privacy leaders include:

  • Remote working teams creating new ways to capture data that don’t follow rules or best practices.
  • Remote workers with access to business and customer data not treating it as securely as when kept within the office firewall.
  • Remote workers home systems not having sufficient security settings.
  • Companies sharing data without traditional protections.

Security officers and IT departments spent the early days of COVID scrambling to ensure secure VPN connections for remote workers They also had to ensure devices were running with suitable protection software and that as much data as possible was stored in secure clouds or accessed from central servers and resources.

Even so, many people worked using insecure devices, meaning IT had less network control and oversight. They were also trying to protect networks in “closed” offices that were under increasing cyber-attack.

When it came to acquiring new data, the first weeks of COVID saw website forms and apps running without valid customer privacy acceptance messaging. This was something that web teams managed to address as the initial COVID panic subsided.

Privacy in the new normal

As the “new business normal” arrived, both government and company privacy officers had to balance new and existing protection measures and privacy safeguards. Regulators struggled to provide a clear degree of guidance while leaders were focused on results to secure their businesses and not necessarily their data.

As businesses approach the end of the year and staff return to work, there are two opportunities for IT and privacy leaders with concerns over data security:

  • To look back and understand what happened in the rush of lockdown, and see what could have been done better.
  • To retrofit any fixes to privacy problem areas that remain unpatched. The data authorities might be lenient for now, but not forever, so fixing outstanding privacy and data security issues is now a priority.

There’s also the chance to see how data privacy will evolve in the current climate, and how future legislation, systems and services will help businesses cope.

The solution doesn’t have to be complicated. Ensuring the appropriate privacy notice is in place at any data entry point and the right check boxes are present will help organizations provide clear and accessible privacy notices to customers or partners. These notices should highlight:

  • What data will be collected
  • How it is used
  • Who it is shared with
  • How long it is retained
  • How can you get it deleted

Taking a look at the basics and the digital efforts required to process these claims will allow most operators to relax their fears over data privacy.

Understanding the privacy landscape and future

Issues around GDPR and fresh legislation will continue, with the core principles of transparency, clarity, data minimization and purpose limitation all key aspects that businesses should aspire to. To deliver that, data privacy systems need to be simplified and every worker made aware of their responsibilities, as smaller teams without typical IT training start creating services that acquire customer or business data.

The growing threat of hackers, data breaches and theft will require advanced protection services across all businesses to defend data beyond the firewall, and to distinguish between valid information and increasingly obscure threat sources.

Tech Insights for Professionals

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.


Join the conversation...