Already 2 years since the global pandemic started, and the onset of COVID-19 still is a tremendous challenge for companies. Employee safety, closures, shifts in demand – all have tested businesses. Many companies have adopted policies and remote work practices. Unfortunately, many of these new actions have raised serious questions about privacy, still relevant today.
How to increase your employee trust and retention during the pandemic? What can employers do to control the spread and mitigate the effects of the virus, and what additional data can they process about their employees?
In this in-depth webinar, TrustArc and Covington & Burling privacy experts will dive into the challenges created by the global COVID-19 outbreak and how your company should face them.
This webinar will review:
- The privacy implications of the COVID-19 pandemic
- How to effectively implement remote work policies to manage privacy risk
- How to ensure good data protection and governance practices for your employees working from home to increase trust and retention
2. 2
2
Speakers
Lindsay Palmer
Senior Privacy Research Specialist
TrustArc
Andy McMenamy
Global Privacy Program Manager
TrustArc
Anna Sophia
Oberschelp de Meneses
Associate
Covington & Burling
3. 3
3
Agenda
• The privacy trends and implications of the COVID-19 pandemic
• How to effectively implement remote work policies to manage privacy risk
• Addressing openness and transparency
• Considerations for a healthy return to the office
• Secure disposal of COVID-19-related data
4. 4
4
Remote working - trending issues
Zero-trust network and computing:
• Reconsider the castle-and-moat concept
• Focus on identification on an individual user and device level
Technical training:
• Investment in employee training of security tools
Social engineering:
• Employees must understand basic IT hygiene and security
Managing personal vs. work-issued equipment:
• Mobile device management (MDM)
Employee/productivity monitoring:
• URL-blocking and web-filtering to block access to certain websites
• EU prohibits systematic and potentially invasive data processing in
the workplace
5. 5
5
Transparency - the ongoing challenge
• Be clear, open and honest with people about what you are
doing with their personal information:
○ Be specific about the purpose of collection
○ Include retention periods to allay fears about scope of
processing
○ Let people know where they can go for more information
• Individuals can only have a sense of control over their data if
they know about the processing and can exercise their rights
• Make notices and policies easily accessible:
○ Website
○ Social media
○ Posters/signage
○ Attach to emails about events
• Train staff so they can answer questions in line with the
privacy notice
6. 6
6
Return to office - vaccine and testing policies
Workplace mandates:
• Clearly identify the verification process
• Specify the information that should/should not be provided
• Explain consequences for non-compliance
Legitimacy:
• Are mandatory policies allowed
• Is there a public health requirement to implement a
verification policy
Necessity:
• What is the goal of the policy (i.e., health and safety/prevent
transmission in the workplace)
Proportionality:
• Is verification necessary to achieve the end goal
• Are there less intrusive ways to achieve the goal
• Do verification practices comply with data minimization
7. 7
7
Clear, Purge and Destroy - What do I do with all this data?
Where to start:
• Look to data and device inventories, records of processing to
understand where data is stored
Common data destruction techniques:
• Paper shredding
• Degaussing:
○ Electromagnetic field must be strong enough to penetrate
modern hard drives that use thicker shielding
• Physical destruction:
○ Shredding hard drives and storage media into tiny pieces
through mechanical shredders
○ Drilling holes in hard drives, hammering or pulverizing
*doesn’t actually destroy data but makes the device inoperable to
prevent data recovery
• Software overwrite:
○ Writing patterns of meaningless data onto each of the hard
drive’s sectors
*level of security depends on the number of times the hard drive is
written over
• Use a combination of methods to ensure total data destruction
8. 8
8
Thank You!
See http://www.trustarc.com/insightseries for the 2021
Privacy Insight Series and past webinar recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.