During the Pandemic Has Your Data Social-Distanced or Co-Mingled?
After more than a year of social distancing, most of us are ready for a safe return to normalcy in our personal and professional lives—and just in time, the world is beginning to open back up. Still, even after offices are fully reopened, most work environments will maintain flexible, hybrid models wherein many employees continue to work from home. As a result, organisations will need to pay continued attention to how they evolve, maintain and enforce their information governance and data privacy programmes.
Given the sudden pivot organisations were forced to make to enable remote work, many may not have had time to fully address or mitigate the data risks that came along with widespread, disparate use of collaboration and cloud-based tools. The adoption of whatever tools were necessary to maintain business continuity created an unprecedented explosion of data volumes, types and risks overnight. In effect, while employees did what was necessary to work while social distancing, company data became increasingly chaotic and co-mingled. The ripple effects of this continue to be felt across nearly every organisation.
FTI Consulting’s 2021 Resilience Barometer® found that nearly one-third of companies have dealt with the loss of customer or patient data, phishing, loss of IP or loss of third-party information over the last year, and nearly 70% are facing investigation on third-party data privacy (for some it has already happened, and is currently happening or is expected to happen in next 12 months among others).
It's essential for organisations to simultaneously gain control over the data management gaps that emerged during the pandemic and bring their practices up to standard for a future, long-term hybrid or remote work environment. Beyond GDPR’s data privacy drivers, other countries have applied rules that organisations prohibit employees from using software that generates but does not appropriately retain business communications—such as the U.S. Department Of Justice Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy guidelines for the use of instant and ephemeral messaging.
Taking a proactive approach to IG will support compliance whether employees are working remotely or in person at a central office. It can also strengthen an organisation’s ability to quickly and efficiently respond to time-sensitive data requests for internal investigations, litigation, regulatory inquiries and data subject access requests. Critical steps for proactively resetting and improving governance include:
- Conduct impact assessments of any tools that were adopted quickly during the pandemic, and establish a process for assessing all new tools as they are introduced. Assessments should include tabletop exercises and simulations of what will happen if or when data within a particular system is compromised.
- Talk to employees to understand what tools they are using and what type of information is generated, shared and stored within those tools. Encourage a culture of transparency so that employees are open about their practices—which will be critical to helping the organisation understand when and where additional controls are needed to mitigate risk. Likewise, transparency should be reciprocal, so employees are willing and able to learn about how their activities impact company risk.
- Create a detailed data map and robust framework of data protection policies (or revisit these if one was in place before the pandemic). Data mapping is more important and more complex than ever before, as it must account for all the software and devices in use, down to the individual level. While it can be challenging to get to this level of insight, the details are integral to helping IG and privacy teams limit the extent to which company data is co-mingled or at least understanding instances of co-mingling so they can be tracked.
- Maintain active, engaging training and awareness campaigns that educate employees about the practical training on what to look out for to reduce risk and the impact of their actions with company data and within company systems. Interactive training and simulations are crucial in ensuring employees are prepared and understand the central role they play in helping the company maintain a strong position on data protection. They need to have opportunities to practice and build habits into their day-to-day work to stop, look and make sure a decision is safe from a data protection perspective.
The silver lining of these new data challenges is that they have increased awareness of the importance of IG. Governance initiatives now have a seat at the table, with recognition from executives that data issues can make or break nearly every critical area of the business from privacy, to legal obligations, to compliance, to customer trust.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.