business best practices | COVID-19 | Data Privacy | Data Protection

By Susie Kenerson, CIPP/US, Compliance Privacy Officer at CSR Privacy Solutions, Inc.  and Michelle Johnston, CIPM, CIPP/US, Compliance Privacy Officer at CSR Privacy Solutions, Inc.

It is bedrock that the safety, health and privacy of employees, customers and others associated with any business come first. Is the principal of “do no harm” compromised when consideration of the financial costs of mitigation pose a life threating event?

The challenge of the COVID-19 event is balancing survival – health vs. financial stability.

The quality and adoption of best business policies, practices, and procedures drives the actions to be taken, balances to be maintained and responses to challenges that all entities must meet.

CSR Privacy Solutions presents a series of articles that focus on the needs of each business entity to both survive and thrive in the current COVID-19 environment.

We address the need to consider privacy as your organization’s policies, procedures and protocols are enacted, modified, or enforced. This is the very essence of Privacy by Design (PbD).  Today’s article focuses on the Business Continuity Plan (BCP) and the Disaster Recovery Plan (DRP) as examples of a balanced approach.

Another article in our series Data Privacy Issues & COVID 19 (1 of 6) addresses details specific to the BCP and DRP as it relates to vendor management.


Businesses establish policies and procedures as the foundation for operations. They define and document the behavior that is expected, construct a base-level of risks and identify responsibilities.

Documenting your processes is necessary to organize, assign and track what is occurring during business interruption events and to guide future practices.

The realization is hitting – policies and procedures must address when, how, and what to do in the event of a cataclysmic occurrence, such as, the COVID-19 pandemic.

The BCP/DRP lays out a response strategy for events such as accidents, natural disasters, or a malicious data breach, yet needs to be enhanced to include plans for responding to a pandemic event like COVID-19. The extended, unpredictable timeframe of COVID-19 requires each entity to be flexible.

Each organization’s BCP/DRP serves as the central point of reference for decisions and the resulting efforts as to:

  • Safe working conditions
  • Financial survival
  • Criticality of personnel
  • Operational standards
  • Communication
  • Vendor management

The mandatory and regulated privacy of your organization’s data, including personal information, is paramount. Keeping all stakeholders, employees, customers, and vendors informed of changes to your business practices affecting their privacy is essential.


Guidance published by OSHA and the EEOC provide strong recommendations for how employers should prepare their workplaces to react and respond to COVID-19, including practices for employee privacy.  Employers’ questions surrounding issues such as their ability to collect additional health information from an employee or taking an employee’s temperature, are addressed in the guidance.


Maintaining a strong process management program is a cornerstone for business practices, processes, and protocols today, tomorrow and in the future.

Mandatory Privacy regulation and requirements are a key focus in the array of decision points that must be made, balanced, and executed upon in this or any environment.

CSR Privacy Solutions, Inc. supports small to medium-size businesses (SMB) and provides privacy solutions for implementing and complying with mandated requirements. Our focus is to help keep you compliant with regulatory requirements.

For more information on best practices and guidance on Privacy, please contact CSR at [email protected].


Contact CSR