As the COVID-19 outbreak continues to unfold, businesses are dealing with new and unprecedented operational and legal challenges. There also are key data protection considerations for businesses in connection with the COVID-19 pandemic, including compliance with the requirements around the processing of personal data for health monitoring purposes, crisis management issues and steps to be implemented to ensure the continuity of privacy compliance programs.
Over the past weeks, data protection authorities in the EU and the European Data Protection Board have issued guidance on the processing of personal data, including health data, for COVID-19 detection and prevention purposes. The available guidance generally suggests caution if employers seek to (1) conduct systematic surveys among employees for COVID-19 infections, (2) conduct mandatory temperature tests and (3) reveal names of infected employees. From a crisis management perspective, businesses are focusing on a number of issues amidst the pandemic, including:
- cybersecurity preparedness;
- issuing guidelines for safe teleworking; and
- anticipating vendor management issues.
Moving forward, it is important to ensure business continuity, including with respect to privacy compliance programs. To limit disruptions of daily business operations and maintain appropriate internal governance, leadership and oversight functions should continue to operate effectively. Appropriate escalation processes should be in place to handle high-risk privacy matters, and procedures for handling requests of data subjects exercising their rights under the EU General Data Protection Regulation should gradually go back to normal.