Rapid deployment of remote working to address the Covid-19 crisis has resulted in many B2C businesses failing to meet their own GDPR policies and data protection practices. While the Information Commissioner’s Office (ICO) has stated that it “won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period” this extension won’t last forever. Companies need to ensure they know what data they hold and where it resides, on premise and remotely, the pandemic is not an excuse for non-compliance.
As DPOs and CIOs retro-fit GDPR tools to a remote environment, we asked Tim Dunn, CEO of eSpyder, for his insights into the current conditions. In the interview below he talks through the challenges of data privacy compliance with a remote workforce and how to ensure your businesses and your Personal Identifiable Information (PII) are protected.
Remote working and GDPR with Tim Dunn from eSpyder
Q: What are the main implications of remote working for GDPR compliance?
Tim Dunn: “There are a number of challenges and implications associated with remote working, particularly in the current climate where these working practices have been implemented under extreme pressure and aggressive timescales. As a result, often the supporting business continuity policies and measures have been inadequate.
“A primary issue is that remote users are outside the boundaries of your internal IT infrastructure and therefore the internal security measures and systems that are in place to protect your employees and corporate data are no longer effective in controlling data access, storage and sharing.
“Also many users are resorting to using their personal PCs and laptops, which typically don’t have the necessary security and controls in place. Fundamentally, many companies are losing visibility and control over the access and storage of critical and sensitive corporate data.
“Now that the immediate goal of “keeping the lights on” has passed, there is a need to ensure that remote working has the same protections, visibility controls as traditional corporate data protection. This way of working will become "business as usual” from now on.”
In your experience, how high on the agenda do you think GDPR high was when organisations started rolling out remote working en masse in early March?
TD: “It is fair to say it was immediately identified as a concern and business risk, but organisations typically continued in the knowledge that they would have to address this as soon as possible.
“Maybe the risk has been underestimated. Fraud and cyber crime have risen sharply during the crisis and personal information is a prime target for fraudsters. It’s a sad fact that fraudsters are often more agile in identifying vulnerabilities and exploiting them than companies are at resolving them.
“Certainly, it should now be priority number one for any organisation.”
What percentage of B2C companies do you think had a remote working policy that included GDPR prior to lockdown?
TD: “That’s difficult to quantify, but certainly a large majority of businesses had to move very quickly to move from office-based environments such as call centres to home based workers providing the same business functions. Even where policies existed (which they often don’t), they were not necessarily implemented.”
Q: A critical part of data privacy compliance is ensuring employees understand their responsibilities, do you think employees in general understand the implications of remote working and GDPR?
TD: “Understandably no. Many employees do not appreciate the risks and appropriate working practices. Training in protecting data has not been undertaken by many companies since national lockdowns started. This is compounded by the fact that fraudsters are very sophisticated and do understand how to exploit the deficiencies in business practices and the IT systems underpinning them.”
Q: In your opinion has this changed over the last 10 weeks? Has awareness increased, are staff being given the tools to protect Personally Identifiable Information (PII) and sensitive data like a company’s IP?
TD: “The picture is mixed, though in general companies are behind the curve in terms of addressing effective data protection under remote working conditions. One of the main issues was that many companies didn’t know what personal information was held on employees’ machines before the crisis, so now that those machines are outside the protection of the corporate network, there was a potential immediate risk, which has grown as data is being accessed and stored remotely.”
Q: Do personal devices present a bigger problem than corporate laptops and desktops?
TD: “Probably yes. Some companies support “bring your own device” (BYOD) and have policies and technology in place to protect the personal device. However, many companies are using both corporate machines and personal devices whilst at home and sharing data across both. This is typically against corporate policy, but not enforced effectively.”
Q: Is it just company PII that’s impacted by remote working, what about other data which employees may be storing on their personal devices?
TD: “There are various types of sensitive and commercially valuable data that may be at risk. For example, trade secrets, internally confidential communications and financial data.
“There are also other regulatory requirements such as the storage of Card Payment Data (PCI DSS) which need to be enforced.”
Q: We’ve heard of some organisations deploying monitoring software to track how employees use work laptops and devices to protect against misuse. Is this an option you would recommend? What about the employees’ right to privacy?
TD: “I think it is reasonable to protect company information and IT assets, indeed there is a regulatory duty to do so for data such as PII. If you allow people to use their own machines, then ensuring that sensitive data is protected on that machine is fair. Ring fencing a work area on the machine is one way to ensure boundaries of privacy.
“As much as possible, without compromising data protection, it is preferable to adopt a “Trust, but Verify” approach to monitoring data storage and sharing. At the end of the day though, the company is liable for any data breach and the associated penalties. These will be severe if the appropriate controls weren’t in place.”
Q: Have you seen any trends in terms of the kind of data that is being accessed remotely in a non-compliant way? Is this a problem for specific departments within a company?
TD: “It’s a little early to highlight trends, but sales, marketing, customer support and finance teams are all working from home and require access to sensitive data. Whilst many of the supporting business systems maybe cloud based, such as the CRM, Service Desk Solution or ERP, users are often exporting data locally to review and manage.”
Q: It’s been reported that some companies are seeing an increase in DSARs during the pandemic because people have more time on their hands. Is this something you’ve witnessed?
TD: “We have seen an increase in DSARs. To be fair this is not only due to people having more time on their hands, but also because there has been more awareness of privacy issues.
“One interesting issue is ex-employees “weaponising” DSARs and requesting data from their ex-employers. In fact, there are a number of law firms who are using this as a strategy for disgruntled ex-workers taking action against their former employers.”
Q: Can you share some advice for handling a DSAR when users are working remotely?
TD: “The key to effective DSAR handling is to make the process agnostic to where the systems and datastores reside. This means that you should be able to scan PCs, Laptops, Data Servers (cloud and on premise) regardless of location and get visibility to what data resides in each system and store.”
Q: What additional tools should companies deploy to protect data in a remote working environment?
TD: “Solutions that ensure data can only be stored and access from the authorised system / datastore. Also ensure that data is encrypted both whilst stored (at rest) or when being accessed (in transit).
“Most important is a solution that provides visibility to where all your sensitive data is stored and provide a clear view of you regulatory compliance status.”
Q: If a DPO or CIO is concerned that PII is not being handled compliantly, but because of remote working can’t identify where, what can they do to get visibility over the company’s data?
TD: “GDPR Data Discovery and Compliance Reporting Services can help. Not only do these identify where data is held and provide GDPR assessment and implementation, they can also reduce the cost of compliance significantly.
“For many companies the cost of handling DSARs is more damaging than the threat of a fine for an infringement. It can involve weeks, even months, of data discovery and consultancy services to respond to just one DSAR if you don’t have effective data privacy compliance in place. Services like Cloud Business’s GDPR Compliance Platform makes it quick and easy to undertake DSARs and tighten up data protection regardless of whether users are on site or working remotely.”
Cloud Business has partnered with eSpyder to support our customers with a GDPR Data Discovery and Compliance Reporting Service. For further information please contact your Account Manager or, for new customers, call 08456 808538 or email firstname.lastname@example.org
About Tim Dunn
Tim has been in the software industry for the past 30 years, with the last 20 years spent specialising in the Cyber Security and Data Protection arena. He is a trusted advisor for many global organisations on Data Privacy and Cyber Security technologies.
As well as managing a number of successful start-ups, Tim also managed the UK for Baltimore Technologies a major Security Software Vendor, CA Technologies and BMC Software’s Security Businesses across EMEA.
In 2017, Tim co-founded eSpyder with Thomas Zell and Jason Coleman to support Data Processing Officers (DPOs) in their role of ensuring company compliance with the GDPR and regional data protection legislation.
eSpyder has been designed from the ground up providing DPOs with the tools to respond to Data Subject Access Requests (DSARs) quickly and easily. It also allows users to track progress in terms of DSARs processing and corporate data storage and retention. Designed to be invisible and seamless for users, but fully configurable for administrators and GDPR consultants. eSpyder is able to rapidly identify Personal Identifiable Information across a customers’ estate no matter if on servers, clients, visible or hidden, remote or on premise.
The Cloud Business’s GDPR Compliance Platform is based on the industry leading eSpyder Enterprise PII identification engine.