The current pandemic has changed our world beyond all recognition, forcing us to urgently adapt ‘old ways’ and prioritize safety above all else. In business terms, this has translated into the acceleration of remote working and digital transformation, prompting a greater reliance on digital communications, governed by the need to avoid physical contact wherever possible.
In the Netherlands last spring, for example, an emergency ordinance was issued stating that all law firms and bailiffs were, from then onwards, encouraged to use secure email for communication, instead of physical faxes and letters, for at least the duration of the Coronavirus pandemic. This initiative reflected the enforced shift to working from home, where most people do not have a fax machine or the ability to send large packages of documents. Secure email is a fast deployment alternative to faxes and postal mail, enabling the safe transfer and exchange of personal information within digitally signed, legally binding documents. (Since the new ruling’s introduction, more than 70 percent of all lawyers have started using Zivver’s secure digital communications platform to comply.) As a result of this change, the annual cost savings anticipated by replacing fax, letters, and couriers with secure email across the Dutch Judicial System is approximately £2 million.
Tentative steps towards a ‘new normal’
But what happens now, as some countries – the UK leading this effort – start taking tentative steps towards a ‘new normal’ with an increased level of human interaction? Will all the good and essential work that’s been done to create a safe working environment go out of the window?
Presumably not, as organizations ‘forcefully’ learned that their workforce has largely been able to be digitally effective and successful, all in a secure manner. However, during the pandemic, organizations have encountered serious challenges to accommodate for a correctly functioning, easy to use, legally compliant and adequately secure digital work environment.
Therefore, to ensure that they can continue to work (largely or in part) digitally going forward, organizations need to consider the multiple threats to legal and regulatory compliance that have arisen during the pandemic, principally around data protection and data security. The fact that more people than ever before will presumably continue to work remotely, and still have to comply with all data protection rules and regulations (the UK’s Data Protection Act and General Data Protection Regulation, for example), will be the main challenge. The whole physical meeting culture, so talking in the ‘safe’ environment of four walls, has been (temporarily) halted. This obviously increases the urge for companies to ensure that a safe line and easy to use communication channel will remain available, which many smaller and mid-size companies did not have in place when the pandemic started.
With a hybrid working model predicted as the next step for most organizations – i.e. employees splitting their time between home and office-based working; big banks HSBC and JP Morgan among them – the chosen post-Covid workplace policy will serve as a starting point for businesses looking to re-evaluate their communication security.
Data privacy laws are about to get tougher – and will be enforced
Once the pandemic is really behind us, the supervisory authorities will rapidly increase their efforts to enforce compliance and ensure that companies of all sizes observe the privacy laws and regulations.
GDPR isn’t going away and, post-Brexit, it remains the UK standard for data privacy and protection. The six-month data adequacy agreement reached between the UK and EU in late December was incredibly important. The agreement essentially offered the EU more time to issue a so-called adequacy decision and in mid-February the European Commission launched the process towards the adoption of two adequacy decisions for transfers of personal data to the UK: one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive (LED).
Given the economic interdependence and extensive data transfer between the EU and UK, it is pivotal that such an adequacy decision will be in place prior to the expiration of the agreement and therefore the UK will not just be seen as a ‘third country’ under the GDPR (with all its consequences).
In light of the above, it is critical for UK organizations to act now to optimize their communication security, as data privacy is likely to become more extensive, stronger, more regulated – and it will be enforced.
And it is not only complying with existing regulations that should concern organizations, but also ones that are yet to materialize. It is widely expected, for example, that the US Congress will pass federal privacy legislation sometime this year, largely modeled on the policy enacted by California in 2020 called the California Consumer Privacy Act (CCPA). This anticipated legislation would be the biggest change to privacy regulations since the GDPR came into effect in Europe, impacting businesses worldwide.
Striking the right balance between security and usability
The common misconception among organizations is that implementing and enforcing digital security is complex, as well as inaccessible, and that it requires too many changes in the way employees work. But in search of the right trade-off between security and usability, a fundamental concept has been overlooked. Ultimately, it is increased usability and awareness that fosters increased security.
Striking the right balance between security and usability is critical to safeguarding digital communications, not least to prevent the prevalence of human error data leaks. Easy to use security solutions that are intuitive and seamlessly embedded into everyday working lives, will enable even the non-tech savvy employees within an organization to participate in cybersecurity efforts. Our secure email technology, for example, adds a security and privacy layer on top of existing email systems, such as Outlook (desktop and Microsoft 365) and Gmail – ensuring that staff don’t have to change their usual way of working.
It all comes down to being an enabler. Companies need to ensure that the digital communication technology they deploy is security compliant, integrates into existing workflows, that it is familiar and intuitive for the people using it, as well as intelligent in helping people to make better and safer decisions. The reality is that if organizations fail to provide employees with the right communication security tools, many will see a significant increase in data leaks – to the detriment of all concerned.
Reinout Bautz, General Counsel, Zivver