THANK YOU FOR SUBSCRIBING
Data protection related challenges in the "temporary" world of Covid.
By Dimitar Mutafchiev, Data Protection Officer at DSK Bank
I do not think that there is person in the world that didn’t find 2020, to put it mildly, as a challenging year. On the other hand, I do believe that when people struggle as individuals that reflects to businesses rather quickly – after all you can’t expect people to act normally when they are lock involuntarilyinside their homes for a considerable amount of time. One year into the global virus-related crisis, a lot of organizations still considers that this is a temporary situation, hence implementing temporary measures, which in most cases are in deviation from their security and operational rules. Тhis contributes to the accumulation of risk, which exists outside of the traditional measurement models and which may surprise many. When we talk risk we all tend to focus on the obvious - the ever-increasing usage of technology in daily life and the effect on the privacy, the mass-profiling or surveillance, big-data benefits and disadvantages, cybercrime, fake news and social media, contractual relation with the vendors in the context of dynamic international regulatory and political framework, etc. This is all fine and understandable, when the life goes on its normal pace, but giving the "temporary" organization of the world, life and business we may want to address other issues as well.
The home office venture, although its great from medical point of view, constitutes a pretty significant challenge to organizations – both private and public – that don’t build their infrastructure around that model. As a rule of thumb the business models and operations of those organization tends to be data heavy. This is where our first problem comes into play – how to maintain integrity of data processing throughout remote environment.
A quick solution will be to increase security measures and monitoring of employee’s activities. This maybe be true on paper, but in reality, even if it is technologically possible – and this says much on its own – will likely lead to excessive processing of employee’s data, especially if it takes place in the European union, which will take us to the starting position, namely – considering the regulatory risk at stake. As often happens in data protection field, the solution must be tailored to the specific needs and to struck a balance between organization interest and employees rights. This endeavor is not only for the privacy team to bear, but must include a broad effort from all levels and areas of organization and to be decided by a C-level officials.
Another big issue with home office is the discipline of employees. Having in mind that some of them process a vast amount of data, you need to realize that there is next to none effective control on who can access that data, except for the individual sense of responsibility of the employee. To make matter worst most of that data would have never leave company premises if it wasn't for pandemic. A training can help mitigate that risk, but if the organization did not create a sufficient mindset in the years prior to the mass home office, then it is very safe to assume that you will face unpleasant situations.
Behavior in general is modeled, among other factors, by environment. Traditionally, most organization puts the majority of security measures to protect them from outside attacks. Picture this – a mom's or dad’s laptop can be in a particular interest to a child. After all - a successful "hack" of a company data can get you a long way in the schoolyard. And remember – the data isn’t supposed to be there in the first place. I am sure that most companies don’t have a “data stolen from an employee’s child” risk category in their models. The example serves to illustrate that when at home people tend to feel safe and that feeling can be deceptive. This can be used very successfully as a social engineering technique, especially given the fact that most of our social interactions in the past months was via electronic channels. Staying home most of the time can make you sleepy, not on the edge - with blurred sensations and judgment. This ultimately led to inability to see when you are being tricked and when you are told the truth – or how the movie goes – “It’s hard to know which in your pyjamas.”
With the above I tried to look at some risks that became particularly tangible in 2020 and it seems that they will be a serious factor in 2021 as well. We all hope that life will return to normal as soon as possible, but until this wish become a reality the silent risks that build up outside of traditional models should be addressed in a way, that simultaneous tackle the issue, but to do that in a compliant with the relevant regulation’s way.The introduction of new and adequate security measures, both technical and organizational, the clear understanding of the activity and the associated risks by the management side and the assessment how all this affects customers and employees will, as always in the data protection field, make the difference.