17 Feb GDPR, security and working from home. Challenges for employers adapting to the “New Normal”.
Introduction
Remote working is an integral part of the “new normal” and is radically transforming the work place and how we do business. Although, this is creating a raft of new opportunities for companies and how they operate, combined with the ever present GDPR challenges, it also brings with it a number of risks and novel challenges.
The issues for companies
Remote working carries with it serious data security risks to companies as both the cyber and physical security measures normally associated with the office space are not in operation. It is well known that the majority of data breaches arise from human error as opposed to cyber-attacks from an unknown source. Data protection breaches can result in substantial financial penalties for a company of up to €20 million or 4% of the company’s annual global turnover. The security of data is therefore not only of concern from a moral perspective but also a financial one.
The principal issues that employers need to address when reviewing their remote working policies and practices are:
A. Training
GDPR already forms a significant part of work place policies, procedures and guidance. Employers should regularly review their Data Protection polices and ensure that they are adequately communicated to all of their employees. It is essential that these are all kept up to date to ensure compliance. The training of personnel is fundamental to reducing the risk of a data breach, both in the office space and the remote working space. The appointment of an external Data Protection Officer (“DPO”) can help employer’s identify risks, plan training and be a nominated point of contact for employees who encounter data issues.
Furthermore, employers should take a similarly proactive approach to the review of their general security policies; again ensuring they are adequate and communicating them, together with any amendments, to their employees.
In relation to both GDPR and security generally proper training of staff is essential in reducing the risk of a data breach both within the office environment and any remote work location.
B. Risk assessments
As part of the proactive approach outlined above, employers should ask their employees to carry out a risk assessment of their home working environment Questions such as where are they physically working, what equipment is being used, what security measures are in place to protect the work station at home, should be considered. Using this approach helps identify potential areas of weakness and thereafter put appropriate steps in place to ameliorate any deficiencies.
The reporting of this information to the employer is essential and an external DPO can help coordinate the compilation of this information.
C. Email security and download
Employers should remain vigilant against phishing e-mails and other scams They should also ensure that employees guard against downloads from unsecured websites and do not open web links or attachments which appear unsafe. Downloading documents or files online comes with a range of risks. Firstly, the website you’re downloading from may not be secure, meaning hackers could gain access to your network and in turn confidential information.
Furthermore, downloading work files directly to your laptop or desktop means that information is then stored there, so if it’s stolen or lost, the download disappears too and the information is then at risk. Where possible, employees should access data remotely through a work intranet or shared documents system.
D. Policies for remote working
Arguably this is the most important area employers should review. Employers should particularly look at implementing policies and guidelines around where their employees are physically working when not in the office environment. Such guidance should include matters such as whether it is desirable for employees to be checking their emails in public spaces on an unsecured Wi-Fi network. Furthermore, whether it is prudent to have work based conversations with clients whilst out in public.
The implementation of appropriate policies and guidelines are crucial to ensure employees are meeting employers duties under the GDPR. This includes privacy notices, password protection, subject access processes, data breach processes, security of employee devices, remove of digital and physical documents and the disposal of documents.
It is important to bear in mind that employees are representatives of the employer and their actions are, employer actions in the eyes of the GDPR. Consequently, it is the employer who will ultimately suffer for an employee’s failure to follow the obligations of the employer as set out in their policies. Working from home adds a further level of difficulty from a monitoring point of view and the adage “Out of sight, out of mind” has never been more apt.
E. Password integrity / best practice
Password integrity forms and integral part of any security strategy. The use of passwords and multi-factor authentication to gain access to work materials should also form part of any strategy. Passwords should also be changed on a regular basis
F. Other security on employee devices
As part of any risk assessment employers should review the security measures on the devices that employees are using to gain access to their work materials. This should include whether a home desktop is password protected and where a personal laptop is being used by an employee it may be preferable for them to be supplied with a work laptop or have an employer’s IT service provider check the security of the device. Furthermore, if an employee is living in a multi occupancy dwelling it may also be necessary to provide an employee with a headset and a screen protector so that others in the accommodation will not have access to any sensitive material.
G. Removal of documents and data from office environment
It is important to have appropriate policies and guidance in place to cover an employee bringing a file home from the office. Any such policy should clearly set out the circumstances when this would be an acceptable practice and furthermore whether there are restrictions on what documentation can and cannot be removed from the office.
In a situation when an employee does remove hard copy documents and files from the office it is advisable that there should be an appropriate audit system in place to record the movement of documents to ensure that they can subsequently be accounted for.
It would also prudent for any policy for the movement of data to ensure that it remains encrypted both in transit and at rest.
H. Disposal of documents
Printing any internal documents could put you at risk of breaching GDPR regulations. Businesses should also be wary of employees making handwritten notes during working hours, as these may contain confidential information. Any guidance should employers existing guidance and safely store any print outs or handwritten documents until they can be disposed of securely
Businesses should consider how they can correctly disposal of these items, with products such as mini shredding bins and remote collection now available.
Conclusion
Remote working does not limit an employer’s responsibilities under the GDPR or data security. Businesses should take the risks posed seriously and regularly review and communicate to their employees their data and cyber security policies.
How Aquitas can help you
Aquitas Law’s specialist Employment Law and GDPR teams can assist in you to review your existing work policies and implement solutions that protect both your employees and your business.
Call us on 0207 099 4444 or email us @ enquiries@aquitaslaw.com for our free checklist.