Privacy, Pandemics, and Business Change…OH MY!!!
The world is in turbulence all around us. What started as a health and safety issue in Asia has had a cascading impact around the world.
Economic uncertainty, health and safety, work from home, IT security issues, continuity, and operational resiliency…it is like an intricate pattern of dominos falling over.
In response to the pandemic, business has changed. Business processes have changed, organizations are supporting remote home working on a huge scale, economic and health constraints have business operating with a reduced workforce with employees sharing responsibilities and wearing multiple hats. A time of change and crisis leads to compliance exposure.
One critical area of compliance risk exposure is privacy compliance. As business processes change in context of the pandemic, the flow and use of personal information has also changed.
The pandemic’s threats to data privacy
Access to personal data is allowed from home offices that might not be secure. Working with reduced staff, remaining employees have new and multiple responsibilities and may not be aware of how to protect personal information and privacy. With less oversight, employees may feel they can use personal information for purposes it was never intended for. Exposure to GDPR, CCPA, and other privacy regulations is growing during this crisis.
This is further complicated by increased scams and hacking attempts to compromise personal information. Hackers, scammers, and various cyber-underworld elements are using the crisis to gain access to personal information.
The elements of an effective privacy program
In this time of crisis, it is imperative that organizations maintain their privacy programs. This includes:
- Data and business process flows. As business processes and use of data change, it is necessary that organizations keep their data and business process flow diagrams and narratives current to reflect and control privacy in these processes.
- Privacy monitoring and controls. The organization needs to automate privacy control monitoring throughout the organization to ensure that personal information is protected and only being used for appropriate and approved uses.
- Privacy assurance. Audit and assurance of privacy compliance is difficult with individuals working from home, this requires the organization to use self-assessments and attestations to communicate to remote employees and get their confirmation on privacy compliance.
- Incident response and breach reporting. In a time of change, confusion, and crisis it is more likely that privacy breaches will happen. This requires that the organization have clearly defined privacy incident response procedures and breach notification steps laid out and ready ahead of time.
Organizations certainly have a lot of plates spinning during this crisis and change. It is necessary that organizations maintain privacy compliance and ensure that policies and controls are being adhered to in the midst of this.
What is your organization doing to maintain privacy compliance during this time?