Covid-19 is impacting how and where we work and many companies are redesigning what business as usual will mean in the future. Privacy is under the spotlight and in light of this, Nicolai von Steinaecker, Director at Laurence Simons Search in Frankfurt, discusses with Ruediger Himmel, Director Global Privacy Legal at Adient*, the impact Covid-19 is having on privacy and data protection.
*Adient is a global leader in automotive seating with 81,000 employees operating in 220 manufacturing/assembly plants in 34 countries worldwide. The company produces and delivers automotive seating for all vehicle classes and all major OEMs and their products are placed into more than 23 million cars every year around the globe.
Nicolai von Steinaecker (NvS): Good Afternoon Rudi, thank you for taking the time to chat to me today. With most people now working from home because of Covid-19, how has remote working impacted you from a data security point of view?
Ruediger Himmel (RH): When working remotely you need to consider the same safeguards as you would do usually - a secured environment, trustworthy network connections and following and respecting company security policies. Of course, we use industry standard network authentication from well-known vendors to secure our network remotely as well. Our IT made a great job in providing additional guidance for these times just in case people are not that familiar to work from home or to re-ensure security measures are followed.
NvS: With many companies using different communication channels, how do you ensure the confidentiality of sensitive discussions particularly considering the privacy risk around the use of some video technology providers?
RH: Combining the right guidance, applying company policies and regular awareness training provide the right foundation. With regards to technology providers in general, before implementing a solution, a privacy impact assessment is key to highlight potential risks and develop mitigating solutions for potential risks. We perform that assessment even if an Art. 30 (GDPR) record of processing activities would suffice. The assessment consists of a thorough questionnaire as we want to get a detailed understanding of each individual case, flanked at the end with the Art. 35 GDPR threshold questions. Of course, if the Data protection impact assessment (DPIA) conditions are met, we do the DPIA additionally.
NvS: Data protection authorities throughout Europe are taking slightly different approaches to Covid-19. How are you interpreting the regulations and how do you harmonise so many different approaches to the processing of health data in particular?
RH: Supervisory authorities had slightly different approaches in some cases on what type of employee’s personal data related to Covid-19 can be stored, what legal basis, and so on. The common denominator and simplest solution to avoid complexity or legal collision across jurisdictions is to restrict and avoid, where possible, the collection of personal data by the company.
Why? See the following example: Measure body temperature, but do not store. Use the result as a potential indicator. In communication to the staff and potential visitors, make clear that a higher temperature does not necessarily conclude in a Covid-19 infection. Indicate that individuals with higher temperature should reach out to their healthcare professional and let the healthcare professional collect all relevant health data and communicate with the health authorities in case of positive Covid-19 tests. The same applies to healthcare professionals within the company, for potential Covid-19 infections. Healthcare professionals must act as Controllers by themselves and interact with the healthcare authorities, not the company itself. By adopting such an approach or a similar one, you will conclude that guidance from all Supervisory Authorities can be satisfied and handling is as easy as possible. We, at Adient, took this very seriously working cross-functionally amongst different departments to make sure we meet legal requirements and the business running.
NvS: How are you prepared if more and more colleagues and plant workers will come “back to work”, especially after the summer break? Any safeguards you will be putting in place?
RH: It is as simple as that: more distancing, no gathering. It will look strange for sure, but we all must push in the same direction to protect our health and our businesses as we do now while working from home. As mentioned before, the best way to proceed is to avoid collecting any sensitive data. So, we will not do it. I do not see a reasonable purpose for using biometric tools for example. Regarding temperature measurement, we will not store the data and limit the accessibility. So Covid-19 somehow reminds us to concentrate on the key exercise, especially as regulations get more and more complex: following the principles of anonymity and data minimization - with Covid-19 and in general.
NvS: What would you say will be the biggest challenge for you and your team in the next weeks and months?
RH: Returning to normal, or better said: the “new” normal. I hope that the way we will need to work will still allow us to meet up under certain rules and circumstances, because social bonding is key for me, especially for a great and productive team and collaboration experience. I guess we humans are not made for working alone in the long run.
NvS: Thank you very much Rudi for taking the time to talk to me. I appreciate your time and assistance.