Getty Images/iStockphoto

Four risks to data privacy and governance amid Covid-19

EY privacy experts assess some of the novel risks to data privacy, protection and governance during the Covid-19 coronavirus pandemic

The Covid-19 coronavirus outbreak and resulting lockdown for all UK citizens has dramatically changed the way UK businesses operate. Almost overnight, companies and their employees have had to adapt to a new way of working, with many having to set up home offices.

Some organisations, which have been practising flexible working for some time, were able to adapt to the new world and way of working with relative ease, with robust procedures, practices and IT infrastructure already established. For others, the change was too much too soon, and quickly uncovered weaknesses, with some organisations experiencing data privacy breaches and governance concerns.  

With the situation remaining fluid and each day presenting new challenges to navigate across many areas of business – not just data privacy – it is a legal imperative for companies to stay focused and ahead of the game when it comes to protecting data and governance compliance.

To help guide organisations through these challenging times, we have identified four data privacy and governance risks – individual, compliance and regulation, physical and human rights – that companies need to consider and how to mitigate them while navigating the ever-changing environment.

Individual risk

The way consumers operate technology has changed dramatically since the UK has been in lockdown. More than ever before, people are relying on their home broadband and even home computers for remote working, banking, communication – often using sensitive sites.

Employees using home broadband, as opposed safer office networks, open them – and in turn companies – to the risk of hackers exploiting those less robust home broadband connections and taking advantage of workplace disruption. Not only this, but there is increased adoption and deployment of cloud by organisations so that employees can access the computing infrastructures, platforms and services they need.

Companies need to ensure that their cloud storage is secure and meets necessary regulations to protect the company itself and the data in question. Responsibility also sits with employees, who should consult their IT policy to understand what they can and can’t do. When an organisation’s policy is unclear, the role of IT needs to be elevated to ensure that employees aren’t left to make their own decisions about software and security without the right support and guidance.

Compliance and regulation risk

Usually, physical hardware space is kept in the office. But with lockdown set to continue and increased use of the cloud, compliance and regulation risk comes into question, playing on the minds of the organisations affected. Companies need to be aware of local legislation that applies to them and advise their employees accordingly.

Employees should also be thinking about whether or not they are playing by the rules. Is the way I work from home and the way I access data compliant with all necessary legislation outside of the office?

All companies will have some employees using the cloud to access data they are handling. Take human resource teams, for example – are they correctly moving data within the current European Union (EU) laws and are they compliant with data regulation and compliance initiatives? The main thing here is that employees need clarity from their employer on how they should be working in their home office environment.

Physical risk

Being away from secure office locations also opens up myriad physical risks to consider. Virtual assistant artificial intelligence (AI) technology devices, routers, smart kettles, and other internet of things (IoT) technology in the home could be a data protection nightmare for any business.

Read more about privacy and data protection

  • Leading UK scientific experts assure MPs that coronavirus contact-tracing app will be ready for launch in May but concede that challenges exist on achieving meaningful uptake.
  • Most popular videoconferencing applications now meet Mozilla’s minimum security standards, with fierce competition and public pressure driving rapid improvement.
  • Privacy concerns raised over mobile app to help track and control the spread of coronavirus in the Netherlands.

As an example, people working in the legal profession in Ireland have been told not to conduct work-related calls when near virtual assistant AI technology devices, for fear of privacy and data breaches as a result of devices recording information.

Another risk to consider when working from home is who is around you. While employees trust their family members, data handled must remain confidential. Firms need to be sure employees are working in a secure and confidential way that protects the data they are handling.

Human rights risks

There are a couple of elements to consider when it comes to human rights in this context. First, looking at employee rights. Many organisations have started paying closer attention to employees’ working habits as they try to balance working with schooling and caring responsibilities.

Access to this type of technology and data on employees results in a potential infringement of human rights as people’s whereabouts could potentially be tracked 24 hours a day. Some businesses may in turn unintentionally use this data for other means, for example monitoring productivity levels throughout the day, potentially encroaching on employee privacy.  

Second, technology has made it possible for people to be monitored all the time. The epidemic we are facing could go on to mark an important point in the history of surveillance in the UK. There is talk of mobile phone companies tracking individuals’ locations and using this information to track infected patients and those around them.

The real questions to consider are: How long would this data-sharing last for? Does this violate human rights to some degree? Could it be used for tax or visa purposes later down the line? It is likely opt-outs will be implemented when developing the monitoring tools and how they will work – transparency will be of the essence to ensure no one is compromised.

When considering some of these questions, it is important to note that legislation would need to be changed and this could have serious long-term implications. Certainly, there is a short-term critical need for healthcare and physical safety of individuals, but how far should it go? The concern for some is that major changes to legislation and tracking now could end up eroding individual rights in the long term and putting the UK back years when it comes to people’s rights. Legislation and time limits will need to be considered.

Final thoughts

Organisations would be well-advised to drill down on what risks to data privacy and governance come into play for them, as we all adapt to this new way of working. It is not just about the short-term risk, but also the long-term impact to the business.

To navigate data privacy and governance risk at this uncertain time, companies must act quickly and decisively, and keep up-to-date with data protection legislation, so that they can apply it to the new circumstances and overcome the immediate threat to secure their future once the storm passes.


Pragasen Morgan is partner and privacy leader at EY UK&I. Paul Smith is associate partner in risk advisory at EY UK&I.

Read more on Privacy and data protection