Rafting team splashing the waves showing privacy challenges in a new world

Three Privacy Challenges That Companies Still Face in Turbulent 2020

2020 has been an exceptional year. From lockdowns to layoffs, stock lows to highs, and from apprehensiveness about virtual working to embracing it, companies have gone through a lot. While it may seem that the year is through, there remain challenges. And, in this article, I share three key challenges I see in the context of privacy and data protection because one thing that has emerged from this crisis is that data protection is the default option.

If the privacy related discussions in pandemic are any indication of relevance of privacy, privacy is here to stay, and consumers are demanding it. Of course, this is only if you were skeptical and needed a validation that privacy was for real. As companies come to terms with the new world, it is essential that we focus on privacy challenges that are awaiting us. So, let us look at three such challenges from my perspective.

1. Companies need to review and assess all data transfers from EU to outside

The Court of Justice for the European Union has recently invalidated the privacy shield and reiterated that EU data protection standards and rules will travel with the personal data when it is transferred outside of EU. And, if that was not enough, it also said controllers are accountable to assess and take corrective actions. This is easier said than done. For companies struggling to cope up with shrinking margins, uncertainty into future and new ways of working, how does one expect a company to review all its data transfers outside of EU. In my opinion, this will be a key challenge in next 6-12 months that companies will need to deal with it through changes in locations of data, changes in contracts and assessments of existing data transfers. And, the work won’t end after that, but we may have new version of Standard Contractual Clauses then.

2. Companies need to review and mitigate risks from employees working remotely

Before pandemic, companies had just about completed changes (due to recent privacy laws like EU GDPR) in their data management and businesses processes. And now, companies need to deal with almost all employees working from home. Whilst this is a technological and organizational challenge of unparalleled scale, it is also a challenge to identify the privacy risks from employees working remotely. The last few months may have been spent in focus on business continuity but identification of privacy risks and mitigation of such risks need to be prioritized now because hackers now are aware that they do not need to hack into a corporate network but can exploit vulnerabilities of home networks. Even in post pandemic word, majority of your staff may work from home. Employees would ask flexibility that they would have gotten used to. So, you will not only need to address privacy risks when an employee works remotely but also when the employees works at different locations e.g. two days from office and three days from home. This requires adaptation of your privacy and security strategy. In my opinion, this will be a key challenge as to how does one protect data while it is accessed from anywhere.

3. Companies need to gear up for post COVID world

Whilst we all are busy with the pandemic world, there will be an end to pandemic in sometime. We all hope that it ends sooner than later. But, one thing is certain and that is “things may not be same” even when pandemic eases. So, if you are relying on privacy risk evaluations from the old world, it is time to review things in a world wherein you will be selling products and services online. Yes, even if you think your product cannot be sold online. The new world will have greater component of online. So, you need an online privacy strategy. So, the sooner we pivot, the easier it will become. In my opinion, it is best to take a proactive approach and start to review the risks of delivering products and services online and may be offline. This likely change in business model and the uncertainty around it means privacy risks identified previously are in need for a review.