Managing legal and tech risks of remote work

More and more employees are working remotely by the day. Against this backdrop, companies need to take the utmost care to protect employees and confidential company information. What are the IT and legal risks companies face as workers go remote?

Author: Raul Rubio, Director of our Data Protection program, Head and Partner of IT Law at Baker McKenzie

Nowadays, technology is more prominent than ever. In the midst of the coronavirus crisis, entrepreneurs are fighting for business continuity without sacrificing the image of their company and the welfare of their employees. The measures taken by governments worldwide to alleviate the effects of COVID-19 have led many companies to implement remote working, and with it, employee use of corporate—or even personal—devices and tools for professional purposes. Additionally, many companies have had to seek alternatives to continue serving customers effectively, changing their business model from one based on physical presence to a digital one. The physical world is giving way to the digital world, particularly in the work environment—something that many companies are experiencing for the first time. Therefore, we must work hard to ensure effective business continuity without forgetting the consequences of not complying with the legal framework in which our activity takes place. A challenge that, if overcome successfully, can lead to very positive change in the future.

Why not take advantage of this quarantine to review and update your business procedures and ensure corporate technology is implemented without legal risk? These are the 7 fundamental tasks:

1. Review your internal IT device usage policy

And if you do not have one, take this time to make one. What’s it for? For one, employee expectations for personal use of corporate devices depend on the content of this policy. If the employer monitors the employee’s use of the company’s devices (remember that the law allows this to a certain extent), the company’s IT policy should clearly express that the company’s resources are only to be used for professional purposes. Otherwise, employee monitoring may be very limited. Likewise, where employees are authorized to use their own devices for business purposes (commonly known as “bring your own device”), the rules must be clear for the employees. The use of WhatsApp for professional purposes is not uncommon. If an employer does not want to be identified as responsible for the data, photos, sensitive information etc., that their employees exchange in WhatsApp groups, our recommendation is that they explicitly prohibit it in this policy.

2. Update your employee privacy policies

As mentioned earlier, an employer can monitor their employees to ensure they use the company’s devices solely to carry out the tasks their role requires. If the company decides to make use of this capability during quarantine, it must ensure that the monitoring policies in place, including the company’s employee privacy policy, already cover this. Furthermore, the company’s employee data processing (including health data) now has a new purpose, which is to prevent the spread of COVID-19 on the basis of the protection of public health, among other reasons. Therefore we have updated the data protection information to take into account this new scenario. We recommend doing this not only as a “complement” to the main employee privacy policy, as we are seeing in many cases, but also addressing it in the main text in order to avoid future gaps in information. In the event that higher risk or special category data processing is required—as is the case with the aforementioned processing of health data for the purpose of preventing COVID-19—or has been carried out prior to quarantine, an employee privacy policy can be used to carry out and document the necessary PIAs (Privacy Impact Studies).

The physical world is giving way to the digital world, particularly in the work environment—something that many companies are experiencing for the first time.

Review security measures implemented for cybersecurity and data breaches such as servers

3. Review security measures implemented for cybersecurity and data breaches

During this time of quarantine, business continuity depends more than ever on computer systems. The two major challenges that companies face are cybersecurity and personal data protection. Since the implementation of the (no longer so new) General Data Protection Regulation (GDPR) in Europe, authorities are focusing on so-called personal data breaches or violations, which can result in extremely high sanctions. What else can you do now you have more time available? Take this opportunity to review your cybersecurity protocols, update or upgrade incident logs, update devices to avoid vulnerabilities and review the security measures of your company’s cloud service providers.

At the end of the day, it’s important to remember that poor security measures not only put your personal data at risk, but they also threaten all of your intangible assets, such as statistical data, trade secrets, know-how, intellectual property etc.

4. Take advantage of this opportunity to consider contracting electronic signature software in order to provide business continuity, as well as technological packages which ensure appropriate remote working under secure conditions

Now that the signing of contracts in person is becoming more complicated, it’s time to consider the use of electronic signature software. Remember that Spanish law generally allows and endorses the use of electronic signatures, and courts are required to admit electronically signed documents as evidence. There are many options available on the market, although the technology and proven strength of the various software varies depending on the type of signature they offer.

Additionally, there may be companies that, as a result of this situation, have discovered they do not have the sufficient technical or technological means to continue operating safely. With this in mind, depending on the capacity of each company, we recommend analyzing the different technological software available to businesses in order to identify which best meet the needs of your particular organization. This will avoid the improper use of personal or private data when signing contracts and circumvent any potentially resulting risks for your company.

Poor security measures not only put your personal data at risk, but also threaten all of your intangible assets, such as statistical data, trade secrets, intellectual property etc.

5. Take a look at your major technology contracts

And be careful who you partner with from now on. Nowadays, as digitizing our work environment has become increasingly critical to securing business continuity, we are also more dependent than ever on our technology providers. It’s important that we dust off the big technology contracts on which our businesses are based and verify that you are legally protected with the necessary tools and resources.

We understand that contracting technological service providers is a priority, but you must avoid signing these contracts quickly and blindly. As we know, most of these contracts are opt-in contracts and may, in some cases, compromise the security and availability of our data. Get advice, evaluate and weigh up the risks that you, your business teams and your company’s legal counsel are willing to take on.

Initiatives of the commercial teams can become too invasive and in turn generate customer tension. Let’s not forget that, despite being in a state of emergency, the authorities are still present to enforce the law

6. Assesses the impact of digitization on your business

Due to the above points, there are many businesses that, given the circumstances, have had to perform a 360º turn and digitize their interaction with customers. It’s important to note that these business interactions with customers are subject to numerous legal obligations that should not be disregarded under any circumstances. This includes both legal texts and the acquisition process of your services.

Therefore we recommend re-evaluating the purchasing and contracting processes of products and services already offered digitally, with special emphasis on aspects related to the contracting and formalization of contracts (from the type and display of the product to the acceptance of the contract and its digital confirmation). Likewise, those who have recently joined the digital world must ensure that they have all the legal processes and texts required and comply with the various relevant regulations. With all this, you can help avoid both the nullity of contracts and clauses, and sanctions from the pertinent authorities.

Finally, we must highlight the role of those teams whose commercial objectives are intrinsically linked to the exploitation of customer data. It’s important that the various initiatives (such as online marketing campaigns through emails or cookies) of the sales and marketing teams are approved and supervised by the legal team. These initiatives can become too invasive and in turn generate customer tension. Let’s not forget that, despite being in a state of emergency, the authorities are still present to enforce the law.

Design the data strategy of your company

7. Design your own data strategy

 Implementing a data governance strategy is key to any business, but, now more than ever, businesses need greater access to data to meet the challenges we are facing. This can be achieved through the implementation of an efficient information management model that enables business continuity by managing risk from both a practical and regulatory point of view. A data governance model will improve access to data, facilitate its use and provide reassurance of its veracity and reliability. In short, it will provide you with security and efficiency when making business decisions. Although this will not be possible if we do not make it a transversal model in which all business areas are involved. And all this must be carried out without impacting the advantages a model like the one outlined offers us, during a situation where we must ensure the health and safety of our employees. An efficient data management model will give you the necessary tools to monitor your employees—in accordance with how you manage your business throughout the COVID-19 crisis—while respecting the protection they are owed with regard to data.

But where do I start? Take this opportunity to review your data processing (data mapping) procedures—review your decision-making model for data protection, internal audit processes and ensure the involvement of the DPO in everything that impacts the protection of personal data. If you do not already have one, consider creating a Data Governance Committee to make strategic decisions about your organization’s data governance structure. All of this would also help you to demonstrate your company’s diligence and proactivity in terms of compliance with relevant regulations.

 

shows the picture of Raul RubioRaul Rubio, Director of our Data Protection program, joined Baker McKenzie as a partner in 2011, practicing in the area of information technology and communications. He has over 15 years’ experience, having worked for the Spanish office of a Big Four accounting firm prior to joining Baker McKenzie. Mr. Rubio is a frequent speaker at several universities, law schools and companies, and has given several lectures on topics related to his field. He has written numerous legal articles in business journals and magazines relating to intellectual property, audiovisual law and new technologies.

Note: The views expressed by the author of this paper are completely personal and do not represent the position of any affiliated institution.