Continuing our monthly series by Dave Farrelly from DF Consulting on practical GDPR (General Data Protection Regulation) business compliance we look at some of the key personal data management considerations as your business copes with the Covid-19 pandemic.
In January we looked at what good GDPR compliance looks like and last month we highlighted some of the key things that your employees need to know when processing personal data. This month, as all businesses enter a period of uncertainly, we look at some of the practical measures to consider during this time.
Whatever your business, the way in which you process personal data, has most likely changed in the last couple of weeks and may do so for the foreseeable future. You may be a medical professional processing significantly more special categories of personal data, a business that has had to rapidly switch to a full remote working model or you might be in the unfortunate position of having to temporarily lay off employees during this time. You may need to ask employees and visitors to your premises for additional personal and health data as part of your Covid-19 responses and measures to reduce infection.
The Data Protection Commissioner (DPC) has made it clear that data protection laws will not stand in the way of the provision of healthcare and the management of public health. The DPC has reminded organisations that processing personal data, including measures to contain the spread and mitigate the effects of Covid-19, must remain necessary and proportionate to the personal data processing aims under data protection laws. Organisations must adhere to the GDPR principle that if they can reasonably achieve the purposes of their processing in other, less intrusive ways (or by processing less data) they should do so and without the need for a lawful processing condition.
So, what are some of the key considerations for businesses currently?
Has the legal basis for processing personal data changed with the outbreak of Covid-19?
In most cases, the legal basis for your day-to-day personal data processing will not change and will ideally be already captured in your Data Processing Log. You may at this time be requesting and processing additional and significant amounts of health data on patients, employees or visitors. Health data is considered special categories of personal data and in most cases the legal basis for processing such data will be ‘the provision of health or social care and treatment’ while in the case of data specifically relating to Covid-19 ‘public interest in the area of public health’ makes specific provision for the management of serious cross border threats to health which Covid-19 undoubtedly is. In emergency circumstances health data may be processed to protect the ‘vital interests’ of a data subject.
What do I need to bear in mind when processing personal data during this period?
As per guidance from the DPC you need to ensure that you continue to practice strong GDPR compliance. As well as considering the legal basis for processing personal data you need to continue to challenge the use of personal data, particularly in relation to data minimisation and only processing what is absolutely needed. Consider who has and who needs to have access to personal data and develop strict retention guidelines on data that is acquired during this time. Ensure team members are reminded about the importance of protecting personal data and the relevance of the data protection laws. If you are processing more than usual employee personal data practice strong confidentiality as well as full transparency on the reasons for the personal data requests.
How do I ensure my remote teams are processing personal data in a fully compliant manner?
For many businesses this will be the first time they have had employees work remotely, presenting new risk when processing personal data. Have you reminded remote workers about the importance of keeping personal data safe and secure as they carry out their roles at home? Make sure your employees are reminded of the dangers of phishing e-mails and that they don’t let their guard down during this uncertain time. Already an increase in such high-risk e-mails has been reported,
The DPC has issued excellent guidance on protecting personal data when working remotely. Why not share this useful link with your remote teams by means of a refresh as they transition to this new way of working for the coming weeks? It is also important to remind employees about key policies and procedures, particularly in the event of a subject access requests or data breach.
Dave Farrelly is a seasoned GDPR consultant offering businesses practical guidance, training and solutions to GDPR compliance. You can see more details on what Dave and his associates can support your business with at www.dfconsulting.ie. Dave can be contacted directly at firstname.lastname@example.org. Dave is happy to answer any specific questions or queries that you have in relation to processing personal data during the Covid-19 outbreak over e-mail at no charge to your business.
Published: 24 March, 2020