Privacy in a post Covid company. It’s time for the GDPR policy review.
Covid has imposed a review of GDPR’s privacy management and data protection practices within the company, involving employees, new ways to remotely perform work, management and protection from breaches of users’ sensitive data.
The various DPCMs and the measures issued by the Government during the Lockdown and imposed by the Covid health emergency have put a strain on and led to unforeseen changes in the processing of personal data in the health, work, public, private and public sectors.
This is why companies are required to adopt the necessary adjustment of the rules governing privacy in the company and to prevent the violation of privacy in the company, because:
- relations with employees have changed with the adoption of smart working and distance working;
- relations with customers and suppliers have changed with the new online offer of services and products, for home delivery, for example, or for booking take-away, or for the adoption of online platforms for the provision of services such as the issuing of documents, reports, prescription drug prescriptions, visits and health care services;
- the modalities of collective meetings for work purposes have changed, with videoconferences to deal with legal subjects or public and company meetings or examinations at school.
In short, the whole way of conceiving the provision of services and the supply of products offline has been distorted by the need imposed by Covid to have to conceive them mandatorily online.
Privacy in the company and changes to the processing of personal data imposed by Covid’s containment and prevention measures
Among the measures with the greatest impact on the management of privacy in the company and data processing are:
- checks on workers and collaborators at the entrance to the workplace to check their state of health;
- verification of whether or not they come from infected areas;
- the new organization of work in the places of performance;
- new ways of working remotely, online, and smart working.
New post Covid criticalities in the company’s management of privacy and new types of personal data and the consequent adjustment of GDPR compliance
Some examples:
During the stay at the workplace, the employer may come into contact with some of the employee’s particular personal data, if he or she sees a symptomatology compatible with Covid-19 infection. Or, the need to consider and organize forms of remote working to limit the opportunities for contagion such as smart working and remote working. In cases such as these, the processing of these data must be guaranteed and managed in accordance with the GDPR rules for which some new needs arise:
- the obligation to provide the data subject with specific, clear, precise and detailed information on the purposes of the processing operation;
- method and duration of the treatment in question;
- compliance with the principles of necessity, adequacy and proportionality of treatment;
- adoption of BYOD policies for the regulation of the use of devices, software, computers, private electronic devices;
- adoption of the necessary online security devices or to ensure cyber security and risk management of company data and information when using private technologies, devices and devices;
- adjustment of the treatment register;
- drafting and adoption of agreements with the social partners to regulate how smart working is carried out;
- adoption of the procedures for controlling production, the tasks entrusted and the work carried out remotely, even before agreements have been drawn up with the social partners, obviously with full respect for the privacy of the worker;
- guaranteeing rules and technical modalities for the safe access of smart workers to the company network;
- adapt data breach management systems;
- adaptation of GDPR’s corporate compliance provisions for the management of personal data of customers or employees outside the company’s premises.
Adaptation of GDPR compliance and the new roles of the Data Protection Officer (DPO) and Privacy Officer in the Company
The changes to GDPR compliance imposed by Covid impose new ways of managing privacy and employer control and affect the roles of corporate data protection officers, such as the Data Protection Officer (DPO).
Companies must involve the Data Protection Officer (DPO) in the reassessment of the Privacy Impact Assessment, of the adequacy pursuant to art. 32 of the GDPR of the technical-organizational and safety measures for remote work, verifying, integrating and informing employees of all the changes and innovations imposed by the new working methods. In addition, the DPO has a non-discretionary function with respect to corporate privacy compliance. Must, for example, provide the Owner of the enterprise with information relevant to the design and coordination of new data flows that may be necessary or appropriate and supervise their regular management. Finally, the Data Controller and the Data Processor must cooperate in order to adapt the organisational instruments for containing the contagion in accordance with the regulations on the processing of personal data.
Conclusions
It may seem that the new rules are yet another hindrance to the development of the company’s business. However, the DPO must be considered a resource to organize and plan the recovery of the business and the reconquest of the market, perhaps with those new IT tools of personal data processing that technology offers today. Another opportunity is given by the reorganization of services, think for example of smart working and the possibility of rationalization of labor costs or costs of maintaining the company offices and workstations.
The changed social context brought about by Covid requires the company to be reorganised in many ways, for example, it may be necessary for the owner of the company to reassess the conditions that make the appointment of a DPO mandatory under GDPR. In such a delicate context, therefore, companies will have to organise themselves appropriately to cope with the change, without ever losing sight of privacy compliance even in the possible re-design of their activities.
Damiani&Damiani Law Firm offers you a staff of experienced lawyers for GDPR compliance. Go to the website section. You will find info on Data Breach – DPO – Smart Working. Fill out the form and get in touch with the D&D studio for online consulting