GDPR and coronavirus are probably the last things you want to see mentioned in an article together, right? While we all get to grips with how we return to work and change our working practices, there are data protection implications too. In our latest article, Gerrard Fisher discusses some of the things small businesses need to think about when dealing with data protection as we begin to leave the lockdown.
Recording health information
If you’re managing lists of which staff have tested positive for Covid-19, or which are self-isolating as a precaution, you’re managing information about their health. Whenever you keep a record about someone’s health, you’re using “special category” information and this comes with special responsibilities. Have you checked what extra precautions you need to take to hold this kind of information securely? What might be the implications of someone else accessing these records?
Do you really need to keep information on their current condition? If possible, try not to keep detailed (or speculative) information on people’s health conditions. Instead: can you keep a simple record of “when people are available to work”?
You might have good justification for holding more detailed health information as part of your ordinary business (for example, if you’re providing healthcare services it’s vitally important) but don’t store information you don’t really need. That way, you can’t lose control of it!
Recording employment information
Your staff may be working different hours, they may be furloughed or on reduced shift patterns. Most of the information you hold will be important for your business - so you can manage payroll, keep in touch with staff and keep your business running.
This kind of information is likely to be standard HR management stuff - and so you should protect it accordingly. Like with all other routine employment information, only certain people should be able to see it: such as line managers, and the necessary HR professionals.
Adapting to new working patterns and behaviours after Covid-19
We covered working from home in a previous blog and video, but there are other ways in which your business may work differently to before:
Security measures and continued home working
Flexible and home working is likely to continue - so those temporary IT security measures you put in place may become more permanent. Make sure you review the measures you have in place to check they’re still fit for long-term operation. For example: if some staff have been logging on with their personal home computers, is now the time to issue them with work computers that can be part of your secure system? Find out more about protecting personal data you’re your team is working from home.
Cover for data protection activities
Your team’s availability could still be variable, depending on how immunity plays out. Can you take steps to ensure that you have extra cover for key data processing activities? Maybe you don’t need a “Deputy Data Protection Officer” but getting someone else to cover some of the data protection tasks would be a useful back-up.
Back-ups in case the worst happens
And speaking of back-ups...how are yours?! Make sure you’re backing up information securely in case the worst happens. Authorities have already seen an increase in cybercrime and ransomware that damages data and demands a payment. If you’ve got a recent back-up you can better protect yourself from this kind of threat.
Astrid is a secure online platform that makes data protection compliance simple. Developed with small businesses in mind, we provide you all the tools and guidance you need to become and remain compliant with data protection legislation. Find out more about our services. Subscribe now to get your small business compliant and safeguard your reputation, your finances and your business. With prices starting from £225 a year, it’s a small price to pay to protect yourself from potential prosecution and penalty fees.
Protect your business - become and remain GDPR compliant with Astrid