COVID-19 Advice Series: Are you business ready for Coronavirus?

It could be said that the first quarter of 2020 has been somewhat challenging. With the World Health Organisation last week declaring COVID-19 a pandemic, organisations are closely following government advice on how to deal with the new virus. We are hearing a lot in the press about “self-isolation” and people being allowed to “work from home”. This is no doubt good advice from a medical context, but what about the legal implications for organisations that are considering doing this?

As data controllers, under data protection legislation organisations have legal obligations to make sure that they have in place appropriate organisational and technical measures to keep data secure. Organisations may also have contractual obligations to keep confidentiality – have you checked your commercial contracts and NDA’s? Now more than ever policies and procedures (“organisational measures”) and cyber security measures (“technical measures”) are of vital importance – pandemic or not, regulators, customers and those you do business with still expect those entrusted with their data to keep things secure.

It is clearly the case that the situation is fast moving at the moment. With this in mind when thinking of activating your business continuity plans you need to assess (amongst other things) the following:

  • do we have in place the right policies, procedures and technical measures to meet our legal and contractual obligations?
  • when did we last review / test them?
  • if considering new ways of working, do we need to carry out a Data Protection Impact Assessment?

Do not forget that not only should you consider the above, but you also need to document the decision making process itself and the outcome – you may be asked to explain why you took certain actions and a robust documented risk assessment is a defence to an allegation that you didn’t put in place appropriate and proportionate measures to meet your obligations.

If you need any assistance with your data protection compliance, strategies to protect your intellectual property or would like to speak to someone about governance and risk management generally, please feel free to give the RDP Data Defence team a call on 01633 603178.