Data Privacy During a Pandemic: Rules Abroad and At Home

Since its inception in Europe in 2018, the General Data Protection Regulation (GDPR) has made the topic of respecting personal data one of the most popular in business and regulatory communities worldwide.

What we are experiencing today with the pandemic can be considered a major challenge of the GDPR. If your company operates within the European Union (EU) or offers goods or services to individuals within the EU, you should pay attention to how the GDPR is being implemented. How this challenge is navigated will determine the extent to which this law protects people’s personal data while at the same time, provides the flexibility needed to avoid becoming a heavy burden on organizations and be seen as an obstacle for economic growth.

The current pandemic should not be considered a green light to get out of data privacy obligations and laws.

Flexibility of the GDPR is reflected in the declarations of several legislators. For instance, the Information Commissioner’s Office in the UK (ICO) highlighted that organizations may lack resources, which could impact their ability to comply with some aspects of the law. Furthermore, the ICO confirmed that a flexible approach will be adopted by taking into consideration the impact of the pandemic on the economy. ICO underlined that support will be provided to organizations as they recover from the public health emergency.[1] However, the legislature also noted that people’s rights in terms of data privacy remain applicable and must be protected.

In parallel, the Commission d’accès à l’information du Québec pointed out that for public organizations and private companies, the usual provisions related to the protection of personal information remain applicable.[2] This demonstrates that the current pandemic should not be considered a green light to get out of Data Privacy obligations and laws.

person typing on a computer

DATA PRIVACY THREATS ARE REAL AND IMMINENT:

  • The fight against COVID-19 has forced organizations to introduce various forms of remote work.
  • The transition to this new way of doing business was sudden. Consequently, if a company did not have a culture of remote work before, the organization and its employees may not be adequately prepared and trained in terms of data protection risks, including personal data.
  • The new reality comes with other challenges for IT and security teams.
    • The use of personal WIFI networks and routers represents an increased security risk – these devices can be more easily compromised when compared to enterprise-grade equipment – this increases the risk of data leakage.
    • Because of the difficulties of communicating in person, the volume of files exchanged through e-mail or shared sites has increased drastically, increasing the risk of transferring sensitive personal information via less-secured means.

LAW 25 (FORMERLY BILL 64): A GAME CHANGER

On June 12, 2020, Quebec’s Minister of Justice, Sonia Lebel introduced a Bill to modernize the Privacy Act.

In a press conference on the same day, Minister Lebel pointed out that our current laws are not robust enough to ensure an adequate protection of personal data[3].

This would be mean that any private and public organizations doing business in Quebec or selling goods and services in Quebec that uses personal data must do what is necessary to protect personal information. Any non-compliance with this new law will be very costly for any organization: previously, the fines under the Act were only $10,000 and $50,000 for repeat offences. Law 25 (formerly Bill 64) now increases these penalties to the greater of $25 million or 4% of worldwide sales. The minimum fine is now $15,000.

More than that, ‘La Commission d’accès à l’information du Québec’ would also have the power to impose, in the private sector, administrative monetary penalties of up to $10 million or 2% of worldwide sales.

Therefore, we believe that prior to the coming into force of this law, organizations must have a clear picture of how they access personal data, where it is stored and how it is used.

 

HOW CAN RICHTER HELP YOU?

At Richter, we are aware of the criticality of protecting organizations’ data. Our team of experts can help you:

  • Put in place a Data Privacy Framework, along with policies and procedures;
  • Review the robustness of controls and measures surrounding Data Privacy;
  • Benchmark the design and operational effectiveness of your practices with the requirement of the best-in-class frameworks and laws (GDPR, etc.);
  • Provide training to your teams on safe or better handling of data;
  • Build an inventory of the personal data collected, processed and stored by the company;
  • Build a mapping of the data collected, processed and stored by the company; and/or Ensure that your IT and security teams have adequate resources to help your organization overcome the challenges of our new business reality.

[1] https://ico.org.uk/media/about-the-ico/policies-and-procedures/2617613/ico-regulatory-approach-during-coronavirus.pdf

[2] https://www.cai.gouv.qc.ca/pandemie-de-covid-19-protection-des-renseignements-personnels-et-securite-de-linformation/

[3] http://www.assnat.qc.ca/fr/actualites-salle-presse/conferences-points-presse/ConferencePointPresse-62359.html