August 21, 2020
Mitigating the Privacy Risks of Remote Working
Posted by Pippa Akem
As the flow of data increases between systems, locations, organizations and vendors, it’s important to prioritize privacy controls to mitigate privacy risks of the evolving pandemic landscape. If you haven’t established proper privacy controls already, now is a perfect time to implement them.
Key Risk Areas
Whether you need to create these controls from scratch or already have a sophisticated privacy control environment, the increasing number of remote employees has a profound impact on control strategies. As a result, it’s essential to ensure you have processes in place that provide insights into key risk areas related to remote-working environments. As you plan how to achieve successful privacy controls for remote workers, you can boil it down to six main considerations.
- Understanding the Risks
When more and more employees transition to remote work, sensitive data begins to flow through numerous locations — increasing the risk of your data being compromised. The first step your privacy team should perform is an impact assessment. You can do this internally or outsource it, depending on your business model. The important thing to keep in mind is that if your evaluation uncovers new risks, you should create new controls.
Impact assessments should be risk-based and focus on all the sensitive data you process. If confidential information is moving across new servers, networks and other mediums, there are likely new risks. Privacy risks considerations can extend into areas outside of your technological systems, such as an employee viewing protected health information at home while living with others who can potentially access it.
2. Clear Documentation
Once you finalize your new controls, it’s important to document them clearly. The benefits of straightforward documentation are twofold. First, remote employees can understand their tasks within the controls process and perform them in a standardized manner. Additionally, precise documentation of execution better enables auditors to verify their effectiveness.
Many processes used to require physical tasks (e.g., scanning, signoffs, filing), which now should be adapted to a remote environment. Digital document storage systems, certificates and other digital workflows can help streamline your remote documentation processes.
Your new policies and procedures are only useful if employees understand them and can access them whenever needed. For example, with in-person training no longer an option, they should shift to an online format without losing their effectiveness. After initial training, you can communicate your privacy controls through a company intranet, shared drive or another medium with anytime, anywhere access.
By communicating your controls through a single source of truth, your messaging is consistent. But again, you should consider that risk mitigation isn’t achieved only through technology. Management should align behind a uniform privacy governance strategy, too, so available information is unvarying across different teams.
4. Gaining Collective Buy-In
To inspire meaningful change and improve data security, management should not only align behind a single strategy but also believe in the importance of data security. Once management acknowledges how vital privacy controls are, that belief can waterfall throughout the organization with how they discuss it. This encourages employees to prioritize data security. You can even create incentive structures that drive execution and inspire everyone to treat sensitive data with the utmost care.
As your business continues to adapt your new privacy controls, monitoring their performance is critical. The first step is to develop metrics that can quantitatively measure performance. Once you’ve created metrics, your privacy team should develop feedback mechanisms and undergo periodic audits to evaluate performance continuously. After the assessments, report the results clearly and concisely to all stakeholders, so the efficacy of your controls are clearly communicated.
6. Continuous Improvement
Upon receiving measured results from the monitoring process, management should leverage these results to drive iterative improvement. Having feedback and reports flow into incremental changes will help fine-tune the controls and drive efficiency. It’s best to prioritize areas of development with the most privacy risks exposure during improvement initiatives.
As businesses transition to the remote environment, it’s easy to lose focus on compliance initiatives. Non-compliance isn’t only costly; it can have detrimental intangible consequences on your organization, like losing your customer’s trust, which can lead to tangible losses if those customers take their business elsewhere because they don’t trust you can keep their data safe.
Adjusting your privacy controls to a more digitized environment is only going to become more necessary as technology expands into even more facets of your organization and its operations. Ensuring your entire organization understands why you have these privacy controls, executes them effectively and continues to improve them, can ease your transition into a remote-working world without slowing down your efficiency.
If you’d like to discuss how to revise your privacy controls most effectively, Armanino’s privacy experts are offering a free consultation. Email [email protected] to start your privacy transformation today!
Prior to joining Armanino, she held privacy functions at Fortune 500 companies supporting General Data Protection Regulation (GDPR) implementation and the transition to California Consumer Privacy Act (CCPA) compliance. Pippa holds the Certified in Healthcare Privacy Compliance (CHPC) designation and is a member of the Health Care Compliance Association (HCCA) and the International Association of Privacy Professionals (IAPP).