Interview: PwC adviser on business continuity during covid-19 era

JavaScript is disabled!

Please enable JavaScript to read this content.

PwC Head of Regulatory, Compliance and Advisory Joseph Githaiga

The coronavirus pandemic has seen governments increase surveillance to curb its spread, leading to worries about violations of data privacy. The economic disruption of the virus has also sparked fears that businesses might flout regulations, for example by under-declaring their performance. And with a majority of employees having to work from home, their exposure to cyber-attacks has never been greater. Financial Standard spoke to PwC Head of Regulatory, Compliance and Advisory Joseph Githaiga on these concerns and much more.

What are some of the emerging issues as a result of the coronavirus pandemic around data privacy and should we be worried?

Some members of the public may suffer the “Big Brother” syndrome and worry about the extent to which government agencies can legally use personal data to enforce measures to contain and manage the pandemic in Kenya. Examples include identifying individuals who have or may have the disease, enforcing quarantine measures and imposing restrictions on freedom of movement. It is important to recognise that an individual’s right to privacy is not absolute and that there are grounds for qualifying that right, for instance, where it is necessary to do so in the public interest or for the protection of the vital interests of individuals, or for compliance with written laws. It is, therefore, not difficult for the Government to establish a lawful basis to justify the use of personal data to contain the pandemic. However, once the pandemic is contained and the crisis is over, individuals will probably have stronger grounds to argue that any personal data processed for the purpose of pandemic containment should be destroyed or anonymised. 

From an expert’s point of view, will there be any challenges to regulatory compliance caused by Covid-19 pandemic and if so, how will we overcome this?

The risk of non-compliance with laws and regulations (whether deliberate or inadvertent) is real. A recent example is the unwarranted increases in the price of critical healthcare products such as sanitisers, masks and gloves by some retailers, which prompted the Competition Authority to intervene and warn of regulatory action against offending parties. There is also a significant risk of breach of data protection laws, which are recent and not well understood by the majority of Kenyans. Health details of Covid-19 sufferers (or individuals suspected of having the disease) may be accessed and shared in an unauthorised manner as a result of inadequate security controls in organisations where such data is held.

What are some of the key considerations for companies to ensure business continuity and regulatory compliance?

Companies should develop comprehensive and robust business continuity plans, which they should test and update regularly. The board and management should be able to form a rapid response crisis management team to plan and coordinate a response to the crisis. They should develop a clear communication plan for employees, customers, shareholders, suppliers and other stakeholders. They should also secure supply chains and have a plan for financing the business in times of crisis besides seeking legal advice on the regulatory environment that governs their business as well as monitor and comply with new laws and regulations introduced to contain the pandemic. Where applicable, they should also actively engage with their industry associations and regulators to ensure they are up to date with appropriate guidelines for managing the situation.

What do you think will be the most significant policy lesson for businesses, especially in being prepared for such a pandemic?

This current situation emphasises the need for businesses to put in place robust business continuity plans (BCPs), which anticipate a broad range of events that could create severe disruption for the business. The BCPs will need to be regularly reviewed and amended to incorporate new threats to the business and will need to be tested periodically to gauge their effectiveness. In the context of a pandemic threat, BCPs will need to incorporate measures designed to mobilise rapid response crisis management and planning at the highest levels of the organisation, prevent or reduce the risk of infection promote effective communication strategies for staff, clients, shareholders, suppliers, regulators and other stakeholder and provide employees with physical and mental healthcare support, among others. In challenging times like these, businesses may have no control over their operating environment, but they do have the opportunity to respond appropriately in ways that support their long-term sustainability.