The measures businesses have taken to adapt to the COVID-19 crisis are unlikely to be temporary, which includes the consequences for personal data processing operations.
In this article, I have gathered some key insights from various industry players and experts, and reconciled them with my own industry observations and the observations of the wider Aphaia Data Protection Officer (DPO) team.
More opportunities mean more data
It is by now clear that the lack of offline opportunities has created a number of online opportunities in those industries that do not necessarily depend on physical, hand-to-hand delivery. This is best described in the words of Susana Cárdenas, founder of award-winning heritage Cárdenas Chocolate: “It’s incredible how this current situation has changed our business. For example, hotels and restaurants are closed and sales on hold. However, our clients who sell online have sold out our chocolate because people ordered it as a gift for their loved ones during the quarantine. That was the case of chocolate online retailers in Paris and Spain.”
An even more prominent change can be observed in the art market. According to Arianna Perini, an arts management professional, “Auction Houses have only had online sales in the past three months, plus most global galleries have opened online viewing rooms to enable buyers to still ‘visit’ and buy their artworks. A good example comes from Gagosian and Zwirner.” Ms Perini further notes that many startups have taken advantage of this situation with their ideas to digitise and democratise the art market, an example being Vortic, launched by Victor Miro in London. Even though the possibility to physically experience art is timeless, she foresees a permanent shift towards the online even after the situation has gone back to normal.
Whereas such developments may for experienced online sellers mean a bonanza not only in profits but also in customer data, all those who have only now discovered online sales channels may be caught off-guard when it comes to the requirements for lawful data processing. Whereas some businesses have set aside basic compliance requirements such as transparency of their customer data processing, we have also seen others who fear that anything they do with the data might be unlawful, for example that any processing of their customer data might require GDPR consent.
Moving your business online should not be taken too lightly
That said, whilst moving your business online has been much easier now than it would have been only a couple of years ago, there seems to have been a huge difference between those businesses whose DNA has comprised of online work before COVID-19 pandemic, and others where this is not the case. That type of DNA often has very little to do with businesses having to move around physical goods or perform services on-site or on a person.
Aphaia have launched our DPO Outsourcing product that is primarily based on collaborative client interaction on Trello in 2017, when the privacy industry was still based on privacy consultants spending long hours at the clients’ premises, a business model unsustainable for tech startups and young tech businesses, who are now by GDPR typically required to appoint a DPO. But if the markets might have allowed some of these legacy business models to continue, COVID-19 has put an end to them. If your business can operate online, it now must operate online.
According to Olga V. Mack, CEO at Parley Pro, a collaborative & intuitive contract platform, legal services’ migration to work from home might face what might at first glance appear rather basic challenges: employees having laptops and reliable access to the internet, plus the company having a plan for disasters. We may as well add the use of secure, cloud-based services that enable end-to-end encrypted sharing of data and operate based on Article 28 GDPR-compliant terms of service.
Unwanted consequences of the surge in online business
Unfortunately, new opportunities for lawful business also mean new opportunities for illegal activities targeting people’s data and property. The effects of this have been more tangible than one might think. According to Pamela Mcloughlin, Head of Digital Money & New Ventures at Hello Soda, COVID-19 pandemic has caused a peak in e-commerce traffic, but a rise in e-commerce comes with a rise in fraud: “This is not even industry specific; we have noticed that a lot of our clients have seen a rise in fraud. We as a KYC, anti-money laundering and ID verification vendor have had to respond by managing an influx of businesses who need to integrate our anti-fraud tools urgently and also automate their ID verification processes, which were previously manual.”
Needless to say, businesses that process financial data and special categories of data, notably health-related data, need to ensure that communications channels and storage mediums they use are secure to prevent any potential personal data breach.
Our tips to get your data privacy right post-COVID-19
Whilst privacy-related consequences of COVID-19 pandemics vary from business to business, there are some universal take home messages:
- if you have previously engaged in online sales of goods and services only from time to time but are now doing so regularly, you should review your online privacy policy – or prepare one if you do not yet have it. You might be surprised, but there are customers who do read such documents and make complaints to the data protection authorities if they do not like what they see!
- review your communications channels to ensure that key transactions information is adequately encrypted;
- review your list of sub-processors whom you use to store in the cloud, analyse, or send your customers’ and employees’ information. Each of them must have Article 28 GDPR-compliant terms of service in place. No excuses, no exceptions;
- if your employees are using their own devices (BYOD) to work from home, please ensure they have installed appropriate malware protection;
- list the obligations and procedures to protect personal data by your employees in an internal data protection policy;
- make sure you are ready for a potential data breach, which needs to be reported to the data protection authority within 72 hours of discovery.
