Insights

Get Ahead with Data Privacy in Crisis Planning

Author:Joanna van der MerwePrivacy and Protection Lead

When enacting organisational continuity measures, data privacy and protection might not be the first item on your action list. Acquiring new technology and setting up working methods might seem more important. Yet, in periods of crisis and transition, when privacy issues are not taken into account from the get-go, organisations often find out too late that they need to drastically backtrack to fulfil their data protection and privacy obligations. Getting ahead on protecting your data will make the process move much quicker. If you follow this guide, it will help organisations enact effective transitions in times of crisis in a way that works for you and your data concerns, and ultimately protects the people behind the data.

The problem

Reactions to continue working and teaching in light of the Coronavirus (COVID-19) pandemic have been fast. In a matter of days and weeks, some organisations have switched to remote working in a variety of ways. Many other organisations are still in the process. Due to the scale of these continuity projects, details are often overlooked. Major facets that need to be considered during the planning phaseare data privacy and protection. 

What we’re saying is: if you don’t involve the right expertise and your approach to switching to new ways of working isn’t data responsible, it’s likely core aspects of the transition project will need to be reassessed or implemented differently.

The Holistic Data Responsibility Framework

Over the last year, the Centre developed the Holistic Data Responsibility Framework as a tool that can help guide organisations through the process of setting up policies and ways of working that ensured the highest level of protection for the people behind the data. The concept and framework are important everyday of the year, but they are even more important during times of crisis because during these periods all data subjects are increasingly vulnerable.

Avoid ‘Silos’ and Work as a Team

During a crisis, the speed at which you may want to roll out new tools or ways of working may lead to crucial data responsibility steps being overlooked. Therefore, it is highly important that privacy experts are involved from the beginning and are given the remit to collaborate with the technical, teaching, legal, and learning experts as well as the subject-matter specialists and communication officers (and many more). This will create a unified and multidisciplinary team with a core focus on data protection. Only a multidisciplinary team will be able navigate all of the elements of data responsibility in a way that will lead to pragmatic, responsible and sustainable solutions. 

Without such an approach, it’s likely that different elements of your organisation will work in silos, or as independent units, without a uniform approach to protecting data. Ultimately, this will catch organisations out after substantial work and effort has gone into enacting crisis continuity plans. It may render work undertaken redundant, and expose the people behind the data to privacy and protection threats.

Taking measures that avoid silos in implementing crisis plans will streamline the process of understanding what is feasible and what is data responsible. To do so, make sure you have involved the people who work on and are experts in all seven areas of the framework and that they work together from the beginning.

So what can you do to embed data responsibility into your organisation’s crisis response plans? Below, our step-by-step guide offers guidance on taking the right approach.

First, ask: should we do this?

When the to-do lists and challenges seem insurmountable, it becomes even more important to ask yourself “should we do this” from an ethical perspective. It is key to take a step back and assess the answers to this question.

Empower your experts

Give the relevant employees the space to critically analyse the technological solutions being proposed, and take into account challenges and concerns that were present in non-crisis scenarios. What do those concerns look like when the data subjects are now in more vulnerable positions?Are there technical limitations and solutions that need to be firmly set up before rolling out a new tool? Are your existing technical solutions suited to this new way of working or do you need to change some things to ensure they remain secure?

Legal Aspects

Understand how the current situation changes your legal obligations as an organisation and take note of grey areas for decision-making. These may need to be reassessed when the situation returns to normal as might the corresponding legal obligations. This may require reassessing these decisions and rolling back some of the steps taken during the crisis.

Governance

Ensure clear communication of governance policies that have changed and outline exactly how they affect the ways employees are used to working. Also be clear on policies that have not changed and remind your team of what they are.

Process

This is possibly the most challenging, yet important, area to consider when working on data responsibility in a crisis. Due to the urgency of the situation and the increased pressure on policies and tools, things may occur that force people to go outside of these policies in order to continue to meet their obligations. Providing practical and timely guidance will help informal processes stay as secure as possible.

People

Building data privacy and protection into the guidance on tools (not as totally separate documents) is key to creating capacity and ownership over responsible data practices– this still applies during a crisis. All communications should  indicate this and highlight that the privacy and protection of the people behind the data is at stake.

Network

At the best of times, a network that provides advice and support is crucial to staying ahead of data issues. During crisis times these may be more difficult to maintain. Create informal networks to fill the gap with advice on implementing different measures. Sharing expertise, lessons learned and best practices will ultimately increase awareness for everyone in the network.

If you would like to know more about our work on data responsibility you can contact the Centre for Innovation at c4idataprotection[at]sea[dot]leidenuniv[dot]nl.