Data Privacy Business Continuity Blog Post Header
Data Privacy Business Continuity Blog Post Header

CCPA, GDPR, and 3 Steps to Sustaining BAU after COVID-19

Graham Machray |

If, as everyone hopes, the world is passing the peak of the COVID-19 pandemic, many organizations are planning how best, at the right time, to re-establish business-as-usual.

This is unlikely to be quick or easy, but having a deep understanding of the core issues will help ease the return to standard or near-standard business processes.  This, among other challenges, is a topic of our Virtual Summit on how risk and compliance teams can meet the demands of the pandemic and drive greater resilience and continuity if future disruptions occur.

Compliance couldn’t keep pace with COVID-19

The speed at which many workers moved to sustained home-working meant that not all the processes and procedures needed to maintain corporate standards could realistically be met.

Some staff took company equipment home, while others were forced to make use of their personal devices to do their work. Others had company equipment eventually delivered to their home, while other organizations did their best to revise and adapt their processes to reflect the new operational reality.

GRC Summit On-Demand Video

Regulations have remained in force

However organizations have reacted, there has been widespread suspension of corporate policy standards to maintain business services in very challenging circumstances. At the same time, external standards have not been relaxed, and this situation represents a key challenge for organizations attempting to restore business-as-usual.

Neither the California Consumer Privacy Act (CCPA), nor the EU’s General Data Protection Regulation (GDPR) have been changed in response to the pandemic, and organizations are still bound by their requirements.

The relaxation to company standards caused by home working has the unwitting potential for breaches of these data regulations. Addressing them will be a key issue as companies plan and execute their recovery to BAU.

The mixed personal/corporate IT environment, and the extensive use of (uncontrolled) workarounds both have the potential to compromise the strong data governance requirements that are core to CCPA/GDPR.

Three steps in getting back to BAU

The successful return to BAU under CCPA/GDPR will require companies to audit the formal and informal processes people have used through the pandemic so that data use and data security can be fully assured. This will require some detective work, but planned correctly, this can be done in a systematic and thorough way:

  1. This first step will be to consolidate and review the policy changes made by HR, IT and others prior to having staff working from home. This will provide a baseline of the changes that have been authorised.
  2. The second step will be to engage with staff and survey them to understand, in detail, exactly how they worked from home, which equipment they used, its level of security, the timescales involved, and whether there were any issues. In the majority of cases, there will be nothing that raises concerns, but triaging the issues that do emerge will help address any issues quickly and successfully.
  3. The third step is to address how data is used in the classic workaround toolset – the Excel spreadsheet. The power, flexibility and ubiquity of spreadsheets means that they are often used to help glue disparate processes together. The pressure to continue working as close to normal as possible will have accelerated their use still further during the crisis. It will be essential to understand quickly which spreadsheets have been used in critical business processes, and what changes have been made and by whom.

Taking these three steps will provide organizations with a data management framework that will accelerate the return to BAU, while supporting compliance with CCPA/GDPR. With the “return to normal” being so varied and unpredictable across the world, there is ample scope to start implementing these frameworks now.

This will provide risk and compliance managers with a detailed picture of how people are managing core business processes, outside of the normal corporate IT environment. This will help inform and enhance the detailed recovery planning that many organizations now have in place.

To learn more about how Mitratech can support your business through disruptions, and help you ensure “compliance continuity” to support the enterprise in future, explore our Virtual Summit, The Future of Compliance.