How BCP and GDPR Affects Business Midst Russia Invasion
In the past couple of weeks, the world has seen the strength of Ukraine as a whole, as they continue to deal with the invasion of Russia. As many of us watch this unfold, it is clear that the average person may never be prepared for an event like this to occur; but, from an organizational standpoint, there are steps to be taken to help prepare for the worst. Countless Ukrainians were not expecting a full-fledged attack from Russia like it actually happened. This left many companies scurrying to relocate and/or enforce business continuity (BC) and disaster recovery (DR) plans in the spur of the moment.
We at Semper Sec have been assisting a customer that has processes and operations based out of Ukraine. When there was the first talk of a possible invasion, we had conducted exercises with their team relative to BC planning; for instance, this office goes away, now what? Our experience with the customer has emphasized the importance of business continuity planning processes, especially considering the general data protection regulation (GDPR).
As most know, GDPR guidelines dictate where data can and cannot be processed, stored, and accessed due to privacy concerns. So, how do businesses remain compliant during war? In this instance, it will not be business as usual, but as the saying goes: the show must go on. For our customer to continue to fulfill their obligations and safeguard their clients’ data we had to first and foremost express the importance of personnel. The concern for technology is usually top of mind; however, for most tech to function human beings are needed.
After the people aspect was elevated across the organization, increased monitoring of security controls and capabilities had been prioritized. During times of war, fear of ransomware attacks become a high concern for external and internal persons. This process then included the organization having to monitor access controls for employee logins. For instance, in Ukraine, men aged eighteen to forty are not allowed to leave their country during war in case combatants are needed. Therefore, if a male employee is shown logging in from a different country, HR should conduct outreach to understand the unusual location.
The methodology behind dealing with this tragedy is answering the question: what brings in the company money and what costs us money? Alongside security, retaining clients is key. While some clients cut ties with our customer right away due to fear of data breaches, the focus always remained on the security of their people and of customer data. With that, our customer’s executive team worked to contract out vendors to help with invoicing and fulfillment of client needs and proceeded to notify applicable customers prior to requiring them to failover to reduce any concerns.
Questions to Consider
In dealing with this unfortunate situation, Semper Sec would like to raise some questions that some organizations may not have thought about just yet if an emergency were to occur (war/natural disaster). If not all questions can be answered, perhaps it is time for an internal conversation.
- Does your business have a BC / DR plan in place? If so, does this account for GDPR guidelines?
- What privacy operations or activities have been executed?
- Does your response have specific steps because the organization is either a “data controller” or Processor?
- How quickly can your business adapt to the changes needed?
- What notifications will be sent to customers affected? Do you know whom to notify and how to notify your customers?
- Is your organization dependent on any physical location(s)? Almost all organizations have figured out a remote workforce during the pandemic, however, if critical systems infrastructure or VPN gateway is located physically what happens when the infrastructure is compromised?