Insights overview

Privacy in the Covid 19 crisis do’s and don’ts: More haste, less speed.

Do	Don’t
Policies: Review your BYOD and Work from home policies to make sure they are up to the test.	Re-invent the wheel: Making hasty decisions is never a good idea. It is better to have a policy that covers 80% of the risk that 100% of your team follows.
Training: Make sure everyone is trained and aware of the importance of following these policies to keep data safe. Consider doing an online refresher webinar.	Expect people to implement changes over night: Changes need to be sensible and progressive. Making an effective rollout of any changes to policies and procedures takes time (people need to be familiar with it).
Reporting: Encourage employees to report any technical difficulties (such not having access to documents or vpn tools) so they do not try to bypass the official channel to do their job and thus create a security risk.	Scaremonger your team: The goal is that the team reports an issue. If they are scared of the consequences (especially getting fired in the current climate) they may be tempted to refrain from reporting minor-medium issues. A chain is only as strong as its weakest link, teamwork and trust is essential for privacy and cyber.
IT: Work with IT to make sure your cybersecurity measures are up to the challenge. Be alert – hacking and phishing are at a high right now.	Engage third parties in a rush: Keep your cool and do your DD on third parties before you give them any sort of access to your data. Don’t engage snazzy tools without speaking to IT first and seeing how that would work with your existing framework.
HR: Work with HR to see if additional processing is necessary (for example, to prevent the spread of covid 19 and give employees access to benefits). Always check was is acceptable in each jurisdiction.	Collect high volumes of sensitive data: that is not to say you can’t find out if employees have covid 19 (speak with HR), but make sure you are asking the right question and that you document the approach you are taking. Work with your comms or marketing team to make sure your messaging is positive.
Document: Any decisions made about the processing of data, especially if you are taking a risk-based approach. Explanations to the regulator may come later.	Create unreadable documents: Keep your records simple and clear. Always write for an audience that is not there.
Take this as an opportunity: To build your online market, think of new products in the digital world, to explore new ways of communicating and to test your policies, procedures and infrastructure.	Panic: The biggest disease of human kind. Don’t fall into the stampede. Build your business and hold tight, even this shall pass.
Get through your privacy to do list: After the GDPR hype other things have been prioritized. Take this downtime to re-visit and get your privacy compliance house in order. By doing so, you are investing for the future which will be, inevitably, be much more digital.	Ignore privacy: On top of everything else, a fine, reputational damages and being in breach of contract is something no one needs right now. Don’t let privacy become a problem, don’t ignore it.