John Giannakakis, General Counsel of the Andromeda Group, shares his insights on data protection and cybersecurity compliance issues – made all the more pressing in a COVID-19 context – and the best practices he has developed for assessing risks and nurturing a compliance culture.
CEEIHM: Let’s start with a wider perspective. What are the main ways in which the COVID-19 crisis impacted your role as a General Counsel of the Andromeda Group?
John: COVID-19 established a new normality in the way we work. Remote working, virtual meetings, and online decision-taking became the new business standard. For me personally, the pandemic was a key driver to re-evaluate my professional priorities and focus on the essential, leaving aside any surplus. The new normality drove to new business-critical competencies such as adaptability, stakeholder management, action vs debate driven, and data-driven working.
CEEIHM: Data protection/privacy has been at the top of the agenda for GCs for a while now. How has the current situation impacted this area?
John: The entry into force of the General Data Protection Regulation (EU 679/2016) and the NIS Directive were game-changers for the privacy and cybersecurity universe. Those two pieces of legislation were undisputedly game-changers for businesses and regulators worldwide – not only within the European Union– as they imposed an increased set of compliance obligations for Data Controllers and Data Processors, making them accountable for their level of compliance against the GDPR requirements. Moreover, The EU directive on the security of Networks and Information Systems can be just as influential on IT as GDPR has been. The NIS Directive applies to all EU member countries and allows each country the flexibility to adapt legislation appropriately for alignment with other national legislation and circumstances, which means each country will have their own versions and specifications. But broadly, the NIS Directive concerns the security of nationally important infrastructure such as energy, water supplies, transportation, and healthcare. The Directive provides the legal footing to:
- Ensure that EU members have a national framework so that they are equipped to manage cybersecurity incidents and oversee the application of the Directive.
- Set up a Cooperation Group among EU members to support and promote strategic cooperation and the exchange of information across country borders.
- Ensure that organizations that rely heavily on information networks are identified by each EU member as “operators of essential services.” Those OES will have to take appropriate security measures to manage risks to their network and information systems. The OES will be required to notify the relevant national authority of cybersecurity incidents.
This means that any organization that operates and maintains infrastructure in energy, healthcare, transportation, and water services will have to comply with the NIS Directive as well as the GDPR and risk being fined double for data breaches.
CEEIHM: What are the main concerns, from a legal/data protection perspective, when we talk about remote working?
John: The COVID-19 pandemic is the ultimate game-changer that has turned many things, especially business, on its head. In response, most companies are implementing work-from-home arrangements for employees so they can keep things running.
Along with all the cautions about online scams and email phishing, another pitfall awaits: It’s possible that without a legally sound remote work policy, your efforts can unexpectedly create significant legal problems. Key concerns for remote working include: clear policies on remote working (e.g. a Bring Your Own Device Policy, Information Security Policy, and Acceptable Use Policy), data security concerns (prior IT clearance of employees’ own devices, VPN use, authentication protocols, etc.), discrimination-related issues (e.g., women with small children or employees with disabilities working from home), and health and safety issues for employees working from home.
Here are some useful guidelines for businesses when it comes to working from home:
1. Eligibility: Determine what positions are eligible to work remotely, and state them in your policy. If you have no remote-compliant positions state that from the beginning, eliminating any future requests or inquiries about remote work.
2. Availability: If you allow remote work, then availability expectations should be outlined in the policy. Whether it’s instituting a blanket 9 a.m. to 5 p.m. work requirement or letting employees set their own schedules, it should be put in the policy.
3. Responsiveness: Define whether a remote employee is expected to respond to a co-worker immediately, and also specify what modes of communication should be used.
4. Measuring productivity: Remote work policies should specify how an employee’s productivity will be measured.
5. Equipment: Remote workers need the right tools to complete their work. Therefore, companies need to state what equipment they are willing to offer to these employees. If they expect employees to provide their own computers, for example, then they need to specify that.
6. Tech support: Specify what tech support will be offered to remote workers. Outline what remote employees are expected to do when having technical difficulties, so there is a plan of action.
7. Physical environment: For health and safety, some employers prefer or require an employee’s physical environment to be approved prior to working remotely.
8. Security: When information is taken out of the office, security is not guaranteed. Employees need to be extremely careful when doing work in public and rules must be put in place to guarantee electronic security and proper disposal of paper.
CEEIHM: How would you go about running an audit of the risks your company is exposed to?
John: As a certified Data Privacy Auditor I have been accustomed to running data privacy audits in organizations of all sizes. An audit must follow a specific plan, and produce evidence and results (deliverables), hence a well-performed audit needs to be implemented by experienced auditors based on a well-structured audit plan. The key risks for the Andromeda Group, for all types of businesses, are: Strategic risk, Operational Risk, Compliance Risk Financial Risk, and Reputational Risk. As an auditor, you need to establish a well-thought audit plan to address all the aforementioned risks. Some useful tools can be software solutions that help you implement the audit producing charts, timetables, spider webs, and other deliverables.
CEEIHM: Obviously, the legal team can’t address all concerns on their own. What other functions should be involved and what best practices should be employed?
John: The legal and compliance function, as a support function, needs to establish a business partnership profile in all business areas. Working closely with HR, IT, Sales & Marketing, and Risk & Internal Audit, the legal function needs to act as a valuable business partner by suggesting solutions instead of just identifying the problems, protecting the business interests of the company, its management, and stakeholders, establishing a compliance culture within the business and add tangible and business-relevant value. These will be the success metrics for GCs in today’s and tomorrow’s business world in general.
CEEIHM: Much of the pre-emptive solutions rely on users’ behavior as well. What can/should a GC do to nurture a compliant culture within his or her organization?
John: Some practical advice to nurture a compliance culture within your organization:
1. Stay informed: The legal landscape is changing rapidly and it is important to fully understand the law in the jurisdictions where your company operates. Consider creating a mechanism to keep yourself informed and to help you anticipate, identify, prioritize, and react to change. Enlist the help of local legal liaisons to keep up to date and be sure to broaden your sources for information and best practices, for example by attending ethics and compliance conferences.
2. Identify your organization’s risk areas and obligations: It is not always easy to determine which provisions apply to your organization, but doing so is important. For instance, when setting up your whistleblower/compliance hotline you’ll need to know whether any country-specific regulations apply. Further, ensure that your organization has conducted an ethics and compliance risk assessment and that the findings inform the operation of the ethics and compliance program. Doing so will help you make the best use of scarce resources.
3. Keep key decision-makers up to date: You may be in the best position to regularly update senior leadership on ethics and compliance regulatory and best practice developments. Include this information in your regular communications and as part of your risk assessment process.
4. Develop targeted communications and training: Often the most successful way to implement such training for those impacted by regulations is to involve local managers, or “compliance champions,” both to ensure cultural resonance and local relevance as well as to demonstrate that these policies are priorities of the business, not just the ethics and compliance team.
CEEIHM: Many believe working from home will become more common, even after the outbreak. Do you agree, and if so, what should GCs plan, to cope with this change in the nature of work?
John: Personally I am most confident that the remote working practice will become a standard business norm. GCs should incorporate all digital tools at their disposal to be able to allow remote working without any business disruption:
- In general, GCs should select collaboration tools that make connecting easy: One of the most important parts of having an effective remote team is making sure that collaboration tools are in place so that members of your team can easily work together as if they were in the office together. Look closely at the needs of your organization and find a tool that meets those needs. Some things to look at when searching for a tool include the ability to file-share among teammates, video-conferencing availabilities and features, and email and chat offerings. You want to focus on a solution that is intuitive and easy to use.
- Educate your staff: While a great collaboration tool is very important, it is just as important to have your staff trained on how to use it. Make sure your teammates are all comfortable using your collaboration tools and know-how to make the most of the program.
- Optimize remote access to the corporate network: In order to make working remotely effective for the legal team, the GC needs to make sure that team members can easily and effectively access the organization’s internal network from home. Make sure that your team members have adequate Internet bandwidth at home to make accessing the network easy as well. There are a couple of ways the team can access the internal network remotely. They can use a VPN – but you will want to make sure your VPN solution can support the required number of connections. Another method is to use a Virtual Desktop Infrastructure such as GC Connect to start a remote session on a work device remotely.
- Prioritize Security: As with all aspects of the legal team’s business planning, the GC should be thinking critically about cybersecurity plans and solutions when working with a remote workforce. As companies have scrambled to adjust to remote workers, attackers are seeing an opportunity to take advantage of vulnerabilities. Workers are now more exposed as they sit outside the corporate network and its perimeter protection measures. Conduct cybersecurity training for all users and regularly brush up on what they have learned. Make sure that in-transit traffic is encrypted, as this traffic will likely traverse the public Internet. Make sure to use MFA where applicable and have your teammates use a company-owned device to work instead of a personal device to limit who has access to your data.
- Check-in and prevent isolation: While the benefits of working remotely can include less commute time, more productivity, and more flexibility, it is important to also consider some of the cons. A major concern for remote workforces is the feeling of isolation, especially as remote work continues on a long-term basis. To address this, it is recommended to send regular company-wide and team-wide communication so the team continues to feel connected. Encourage the use of video-conferencing and suggest that all teammates turn on video. Maintain a regular cadence with the team and take the time to reach out and connect regularly on an individual basis as well.