DPO’s challenges during COVID-19

COVID-19 disrupted business across the world. From production to promotion, every area was impacted. But for DPOs this pandemic brought some new specific data privacy challenges.

Adapting to the increased security risks as work from home becomes the norm

Working from home, where possible, became the norm in most companies. But besides flexibility and productivity, it brought increased risks of security. The majority of the threats are related to unsecured connections, employees using their own devices, and new apps as well, sharing data in the cloud or phishing. And all these threats might need to be mitigated with a smaller or busier IT Team.

What could the DPO do under these circumstances? Update and adapt the policies regarding employees using their own devices and working from home from mobile terminals. Set clear procedures for reporting security incidents and for getting remote technical support. Limit access to critical systems and put in place training sessions for properly configuring WIFI networks, antivirus, or VPN. On the European Union Agency for Cybersecurity website, more details can be found.  

Balancing the need for privacy with the need to prevent employees from getting sick

Employees getting sick is a major risk for every business. According to EDPB, GDPR rules continue to be valid during the pandemic, GDPR principles don’t interfere in fighting COVID-19 but also, the emergency state could limit some of the freedoms.

Guidelines on the processing of data concerning health for the purpose of prevention are available in this EDPB statement.  The most likely lawful basis still for processing are preventive medicine, public interest in the public health area, consent, and national legislation. Also, applying the principles of proportionality in processing and data minimization is required. For more details, please access this link.

At the European level, we noticed some differences in applying these principles, according to every country’s legislation. It is generally allowed to ask employees to announce if they have a fever or other associated symptoms and to report if they recently traveled or plan to travel in a high-risk area. It is allowed to check employees' and visitors’ temperature only under specific circumstances. And it is usually forbidden to make public the identity of a sick employee. This Baker McKenzie report and this Bird & Bird report present the main particularities across countries.

Sharing data with the authorities

Guidelines about sharing data with the authorities were available before COVID-19. Proportionality, limitation of purpose and transparency were among the core principles.

The current situation though led to a significant increase in the health data processing. The challenge is associated with new diagnostic and monitoring systems and with medical clinics sending more reports. EDPB statement on personal data processing and EDPS report on using mobile phones for monitorization point on data minimization, limiting the risk of identifying the data subject, collecting extra information only with the consent of the data subject. Best practices revolve around data anonymization and minimization, limited retention period, transparency, and documentation.