Check out our latest GDPR update: The far-reaching July 16, 2020 Schrems II ruling invalidates the EU-US Privacy Shield and confirms the validity of Standard Contractual Clauses–as long as they’re properly monitored. Read more about it here.
Prior to the Schrems II decision, Chris O’Connor, Director of eDiscovery at CDS, had the pleasure of interviewing Jonathan Armstrong, a partner at Cordery in the UK who has advised multinational companies across Europe on technology, risk and governance for more than 20 years.
If there is one thing their recent webinar discussion, “Protecting Data Privacy in a Pandemic: New Considerations Under GDPR” made clear, it’s this: Now is the time to revisit and refresh your GDPR Risk Assessments.
Below is a transcript of part of their discussion. You can access the recorded webinar here.
Chris O’Connor:
So today we’re going to talk about data privacy in a pandemic. We’ve already seen some changes, not necessarily in the law, but in the practicality and functionality of data processing.
I know that the UK government made some statements redirecting the responsibility for data privacy to individual regulatory agencies. How is that impacting things? Has it changed operations, the way that business gets done every day in England?
Jonathan Armstrong:
There are a whole host of issues around the pandemic and data privacy. I think if this was, I don’t know, an opera, we’re still only in the first act. I think there are more developments and challenges to come. In some respects, the original start of regulatory intervention gave many mixed messages.
Italy was one of the first regulators out of the blocks with some really quite prescriptive measures, saying that employers particularly were almost unable to manage the health of their employees, because that’s the state’s job and your job is to pay their wages, not to look after them.
But I think many regulators took more nuanced views and certainly some regulators have changed their stance as the pandemic has progressed. So, it’s been a true challenge for multinational organizations to keep up to date. And we highlighted guidance in about 40 countries and linked to it from the Cordery website and tried to draw some parallels, but it truly has been a challenging situation.
And at the same time, the added challenge is that for many of those people who are responsible for compliance, responsible for compliance with GDPR data protection legislation, they’re doing other things as well. They’re involved in the crisis management team. They’re involved in logistical arrangements on working from home.
And of course, many of those people have been working from home themselves when they’re not that used to it, and some of those people unfortunately have been unwell with the virus. We’re almost in this perfect storm, if you like, of increased obligations on organizations to comply and decreased resources for them to comply. So, it has been a challenge, Chris.
Chris O’Connor:
What has that really meant? Are solicitors or attorneys taking more time? Is the document review process taking longer? Or is most of the impact on export? It’s been moved either back to the EU which has the same proxy laws or our works in the United States?
Jonathan Armstrong:
I think there are some issues there. For most of the document reviews that we hear about, of course, the real blessing has been that organizations like CDS have moved to more flexible ways of reviewing documents. I can remember looking at my first document review which makes me sound incredibly old, probably about 25 years ago, and it was paper, and it was renting out the ballroom of a hotel and literally looking through documents out of bankers’ boxes. And thankfully those days have gone. I think that people who are still doing hard copy reviews are having to do more adjustment.
In Poland, for example, the regulator has issued some fairly aggressive guidance on things like working on hard copy documents out of the office. You have to operate a library system, log documents in and log them out. The same sort of things we would do with a chain of custody if it was evidence, but with a regulator looking over your shoulder. I think in terms of electronic review, my suspicion is that most organizations, particularly those that were set up to enable remote working and already got two-factor authentication worked out, et cetera, et cetera, they maybe haven’t missed too much of a beat.
The real caution there, however, is if you’re technically under GDPR or a data processor, somebody else owns the data. Let’s say, for example, Acme Corporation is the data controller and they’re investigating, I don’t know, litigation over Road Runner and his use of dynamite, and they’ve instructed Sue, Grabit and Run, the lawyers, to handle it on their behalf. Then in that case, the law firm is likely a data processor and Acme Corporation is the data controller.
You’ve always got to remember in that scenario that if you’re the processor, you’ve got to check everything that you’re doing with the data controller. I’m hearing that some people have moved to remote working without telling the customer or telling the client.
That’s a really dangerous situation because technically, from a GDPR point of view, that can make the data processor – I know I’m getting really complicated – data processor a co-controller, which is not what you want to be in many circumstances.
There’s that odd little wrinkle about working from home and making sure that you follow the process correctly. But absent that, I think electronic reviews have stood up fairly well. There’s obviously an issue around the economy which is COVID-related where law firms are furloughing staff. They’re doing partial furloughs particularly in the UK, with four days working instead of five, so how does that relate to productivity?
I think we are going to experience some issues. We may experience some delays. The other way in which we may experience some delays, of course, is that the court systems aren’t back to normal. Some interlocutory hearings have been taking place by video call, but the courts are not back to full capacity yet. So, we’re going to see delays in the system.
Chris O’Connor:
Right. We’ve had some more set-ups here in the State of New York. And while the Feds have remained open all the time, I get the impression from most of the lawyers here that the data processes have slowed down.
But you do bring up an interesting point there. The idea of migrating to a work from home scenario for either an outside review company or a law firm. You’re going to move, first of all. You’re going to get your employees a machine; hopefully, they’re not using a personal machine. And they’re going to log into the system. They’re going to conduct data reviews.
What happens when the machine they utilize is unsecured? Everyone knows we’re at home, and everyone knows at least some portion of your day is dedicated to mobile searching on a computer. Now, cyber criminals are going wild, so what are the concerns when it comes to data privacy, when we have these additional threats? At the law firm office, the line has been hardened and there are multiple steps to protect data for clients. At employees’ homes, management doesn’t have the time, nor the rights, to storm into their home and find out what kind of security they’re running on their router.
Jonathan Armstrong:
Yeah, I think that’s a really good point, Chris. From my perspective, firstly, it’s not a given that they’re working on organization-owned devices. And we’re hearing some pretty bad stories of people who haven’t had the ability to supply company devices. The most extreme I’ve heard is that an organization detected that an employee was using an old unpatched PC and they were a little bit surprised when they knew that he had a work-issued device. And he said, “Yeah, actually, my wife’s getting really stressed with working from home, so we’d swapped machines.” So, all of the hardening that the organization had put in place was protecting his wife and that employee, but not the organization that had issued the device.
I think some organizations are taking steps to look at the devices that are connected. They’re looking at added VPN strengthening measures and I think that all of that makes sense. They’re looking at how devices are transported. Obviously, people aren’t traveling as much at the moment, but when partial office working resumes, they’ve got all of that to think about. Phishing attacks are definitely on the rise. I think part of that is because they know that there are vulnerabilities. They know that in an office environment, oftentimes, you’ll check with the colleague next to you and say, “Look at this, does it look a bit odd?” And people aren’t replicating that in the working from home environment. At least anecdotally, people seem to be clicking more.
Ransomware is definitely up. We’re seeing all sorts of terrible attacks there. Pre-COVID, 29% of Ransomware attacks were on healthcare. We believe that that’s higher now. These are hideous criminals who are targeting the healthcare system at this time. We know that with the WannaCry virus, for example, the UK National Health Service estimated that it cost 92 million Sterling to recover from WannaCry.
We know that healthcare is regarded as a soft touch. Some sectors are going to be more vulnerable than others, but the criminals feed on the fact that when people are desperate, they take short cuts. So we need to guard against that.
And, as I said, in most cases from a GDPR point of view, you have to do that risk assessment. The sort of things you were discussing, Chris, you do that in a formalized way under what’s called a Data Protection Impact Assessment (DPIA), but you’ve got to look at security of the device, security of the connection and also the other thing – our biggest data breach in year one of GDPR was due to the hot weather. We often forget that places like offices tend to be better ventilated than homes in Europe. We don’t tend to have air-con. In the UK, we don’t tend to need it. But on those rare hot days, you leave a window open. In this case, the executive at this organization left his laptop there.
He was working with the door open. A caller came to the front door. He left his home office. The device was left out of the open window and whilst he’d been told only to connect with the VPN, don’t save documents on the hard drive. We started off assuming that was the case, and then he said, “This is the time I should tell you about all of the stuff I saved on the hard drive.” And he had a legitimate, in his view, reason for that because he sometimes worked in environments where it was hard to get into the VPN.
But at the same time, that’s an awful lot of data potentially on people’s devices that you have to disclose to regulators. And bear in mind the fact that whilst regulators have been understanding with some aspects of data protection, it seems they’re not understanding in terms of these 72-hour deadlines to report data breaches. So, you’re still likely going to have to report a breach. You might have more tolerance from a regulator but you’re going to have to get that work done.
And then the final point I’d say, is that now is the time to refresh those risk assessments. I think a lot of people did that risk assessment about March time, it was a, I wouldn’t say panic, but we’ve one client that moved 15,000 people out of the office into their homes in 48 hours. 15,000 people. That’s a big achievement and well done, them. But what they’re doing, rightly, is they’re saying, “Okay, that assessment we did got us through March, April, May. Now it’s June, we have to revisit that assessment.
We know that we’re going to be home working for at least some of the population, maybe until the spring, maybe even longer. How can we harden those devices? How can we harden those connections? People with admin rights, should we be adding extra measures to protect their connections, because that’s where there are vulnerabilities? A lot of people are going back and checking that risk assessment again now.
Chris O’Connor:
I think, as you pointed out, as we go initially back to the office, wherever that may be, I can’t assume everyone goes back on Day One. While we used to worry about, at a law firm site, partners leaving laptops on planes… The list of questions for the next morning’s depositions sitting on a plane. That was an isolated population to worry about but now you’re thinking about everyone who has access to a company device, back and forth every day on trains, driving, whatever. Having their window open. There’s still a lot of uncertainty. These types of things, they don’t go away.
