5 Data Privacy Insights in the Time of COVID-19

Stacey Garrett |

As businesses around the globe prepared to meet the demands ofnew data privacy laws and regulations in 2020, the world was thrown a curveball in the form of COVID-19.

At Mitratech’s virtual summit, The Future of Compliance, I sat down with Mitratech Managing Director of compliance products, Mark Delgado, and GRC 20/20 founder, Michael Rasmussen, to discuss what’s changed and what hasn’t.

Here are five takeaways on the effect of COVID-19 on data privacy and business practices:

1 • Despite the global pandemic, private enforcement of data privacy laws has not slowed

The California Consumer Privacy Act went into force in January 2020. Although the CCPA is still in its infancy, at least 19 lawsuits have been filed alleging violations of the CCPA or alleging violations of other consumer protection and unfair competition laws based on the CCPA.

Some of the lawsuits are class actions alleging that the plaintiffs’ sensitive personal information has been breached as a result of the defendant’s failure to implement and maintain reasonable security measures.

In those cases, the plaintiffs seek statutory damages of between $100 and $750 per consumer per incident, which can add up fast. Other lawsuits seek to test the limits of the CCPA and will require judges to interpret and apply the law in ways that will have lasting effects.

2 • Regulatory enforcement of data privacy laws has also not slowed

California Attorney General Xavier Becerra will begin enforcing the CCPA on July 1, 2020. In March 2020, 60 trade groups and companies asked the AG to postpone enforcement of the CCPA to January 2, 2021 because of COVID-19 and because the CCPA regulations still had not been finalized. The AG declined.

Instead, the AG’s office has reiterated that it is committed to enforcing the CCPA starting on July 1, even with the new reality created by COVID-19.

3 • Increased remote workforce puts a premium on data security

As a result of COVID-19, there was an overnight shift to work from home. Consider these statistics:

  • 88% of organizations have encouraged or required their employees to work from home.
  • Remote work is here to stay. 75% of companies plan to permanently shift to more remote work after COVID-19.
Figure_1_74_of_Companies_Plan_Shift_to_More_Remote_Work_Post_COVID

And with the shifting workforce comes shifting risks to data privacy security. Organizations are facing an increase in email-based threats and endpoint security gaps. Many of the firewalls and other security measures that exist in the corporate environment are absent from the home office environment, which makes data vulnerable.

Businesses can mitigate this risk by supporting remote workers with security infrastructure, training workers on how to recognize security threats, and educating workers on the culture of privacy protection and compliance.

4 • Companies are reporting an uptick in consumer requests for access and deletion

Whether increased consumer requests is because consumers are becoming more aware of privacy rights in general, or because they are spending more time at home and online as a result of COVID-19, the result is the same: More and more consumers are exercising their rights under the CCPA and under the European Union’s General Data Protection Regulation.

As a result, businesses must be prepared to acknowledge and respond to consumer requests within the time periods required by applicable law (generally 45 days under the CCPA and one month under the GDPR). Businesses that have focused on streamlining and automating their consumer intake, acknowledgment, data retrieval, and recordkeeping workflows will be better equipped to efficiently and accurately respond to increased consumer requests.

5 • Return-to-work programs add new challenges

As businesses contemplate employees returning to offices, factories, and retail and service locations, many are considering how to keep workers and visitors safe from exposure to COVID-19. As part of this process, many businesses are taking employee temperatures, and others are asking employees to provide medical information in the form of health histories and current health attestations.

Depending on applicable law, the collection and retention of this personal information may require notice to employees. The CCPA, for instance, requires that businesses notify workers and consumers of the personal information that the business collects about them and the business or commercial purpose for which the information will be used. The GDPR likewise requires that the data controller inform individuals of the purpose of processing the data, along with the legal basis for processing the data.

As employers collect more personal information from employees, data privacy notices and policies will require updating to keep pace with collection practices and to ensure secure handling of sensitive data.

These five key takeaways are just the highlights of our in-depth panel discussion. To listen to our full conversation on data privacy in this new world, check out our full panel discussion here.