Key consideration 2: Implement confidentiality measures for work-from-home arrangements
The second area of equal importance is having protocols with confidentiality measures for your work from home employees to protect your company’s sensitive and confidential information (which could include customer and employee data) which is now being accessed through a work from home environment that may not be as secure as an office environment, particularly if your employees are living with and working in close proximity with other people who are not also your employees. Some additional precautionary measures to consider implementing include:
- Using mandatory privacy screen shields for laptops.
- Taking calls away from other people and where possible, in separate rooms.
- Using headsets for confidential calls.
- Making sure that hard copies of your company’s confidential information are securely disposed of and/or kept after its use.
Key consideration 3: Implement data security measures
The third critical area which your protocols should address is having security measures for the protection of all kinds of data, including personal data, health data, customers’ data, company’s sensitive and proprietary data, etc. These measures should include considering the following issues:
- The technical measures in place to guard against unauthorized or accidental access, processing, use, erasure or loss of data, bearing in mind that in a work-from-home arrangement, employees are accessing your company’s network without the security measures that are in place at the office.
- Appropriate data backup measures in place to guard against any accidental loss of data due to security issues or system breakdowns.
- Measures to guard against internet fraud, scams, phishing emails, etc., including verification procedures for verifying identities of requests for money transfers.
- Emergency and action plans for data breach.
Key consideration 4: Comply with cross-border data transfer laws and regulations
The fourth area which your protocols should cover is compliance with cross-border data transfer requirements, taking into account the jurisdictions where you are hosting the data and the jurisdictions to which the data is being transferred. Jurisdictions such as mainland China and Europe have particularly stringent data transfer requirements. Some key issues to consider and address are:
- Have cross-border transfers become or are they likely to become necessary and more prevalent due to the COVID-19-driven closure of borders and travel restrictions?
- Have you complied with all applicable foreign laws and regulations concerning cross-border data transfer? For example, have you considered the applicability of the personal data protection, processing and transfer rules under the European Union General Data Protection Regulations and complied with the same?
- Have you considered whether your company’s services may be covered by and considered “critical information infrastructure” under the mainland China Cybersecurity Law, and if so, have you complied with the relevant regulations concerning cross-border data transfer?
- Have you considered whether you may be handling information and documents which may be categorised as state secrets, and is it permissible to take the relevant processes online in light of compliance with state secrecy provisions?
Key consideration 5: Comply with sector specific regulations
If your business is regulated, you will also need to ensure that your protocols comply with sector-specific regulations. Additionally, if you are turning to innovation as a means of overcoming and/or easing the disruption to the provision of your services during COVID-19, you need to be aware that specific regulations may apply to certain areas of services provided, including those involving non-face-to-face approaches to clients’ businesses. Some key issues to consider for your protocols are:
- Have you checked and complied with specific regulations concerning non-face-to-face approaches to client’s businesses?
- Have you checked and complied with specific regulations concerning electronic signing of documents as well as other sector-specific regulations such as those concerning non-face-to-face identity verification?