Love it or loathe it, hybrid working is here to stay for many organisations.
What began as an emergency reaction to lockdown in March 2020 has become a ‘new normal’ for many people, who may now spend more time working at their kitchen table than in their employer’s office. Some organisations were already set up for flexible working, some had to react quickly and do what they could with the resources available but, either way, working from home does give rise to a range of data security risks.
In January 2021, our blog post highlighted some of the concerns employers should bear in mind when managing remote working. Those concerns remain valid and employers should continue to undertake risk assessments and mitigate any risks identified. The main change is one of context: stopgaps that were considered acceptable in times of emergency lockdown may not meet the standards generally required for compliance with data protection law. The Information Commissioner’s Office - or ICO - (the UK’s data protection regulator) was understandably lenient when lockdown first hit but is now ramping up its scrutiny levels.
Increased reliance on technology means increased risk from cyber attack. A cyber attack could lead to the leak of confidential information, damage to reputation and, if any personal data is accessed, a data breach that could lead to a fine under GDPR. Implementing some practical measures could reduce the risk of any cyber attack being successful – and prove valuable evidence of steps taken to secure personal data should the worst happen.
System security
How do your employees access business information and communicate with each other? Keeping on top of IT issues can reduce opportunities for hackers to interfere. Hybrid working brings the added challenge of staff moving between the traditional office setting and their home, as well as perhaps working on the move. Can you use multi-factor authentication to enhance rights of access? Are you using current versions of software and have all relevant patches been applied? Ensure you enforce any policies about regular password updates or use of personal devices. If personal devices are permitted, can you install any company software to set up a secure work profile keeping business information separate and better protected?
Practical steps
The chances are that most homeworkers will be sharing a living space, meaning non-employees may have access to confidential business information. If you have policies about locking screens when away from desks or not leaving paperwork within view, issue regular reminders of those policies. It may prove difficult to enforce such policies (and you don’t want to damage employee goodwill by appearing not to trust your staff) but those reminders will serve as useful evidence of steps taken to manage security.
Video calls
Many of us have suffered so-called “Zoom fatigue” after two years of virtual meetings, but there may be other benefits to substituting some video calls for an old fashioned phone call. Does your video technology allow for any increased vulnerabilities? If you need to record a team meeting for any reason, have you advised attendees upfront of that fact and permitted people the option to turn off their video or raise any objections? Consider whether a video call is always really necessary.
Privacy notices
Remote working may have brought about new uses of data, whether in terms of allowing use of new devices, collecting technical identifiers or engaging new IT providers who will have access to staff data (and so be considered data processors). Check your privacy notice remains current in its description of the types of data processed, purposes of processing and any data sharing arrangements.
With all of these issues there will be a range of concerns, both for the organisation and for individuals. Banning home printing may help reduce the risk of data being left in view of third parties but does that present impractical obstacles for people in certain roles? If people regularly need to share large files, what is the most secure and cost-effective approach – and can use of that system easily be mandated? Finding the right balance between security and efficiency for your organisation is key.
Data protection compliance should be kept under constant review, ideally by someone with sufficient background and experience to spot and address concerns, whether a Data Protection Officer or someone else allocated that responsibility. Evidence of steps taken to achieve compliance is also important so keep a record of any training, policies and procedures implemented. Wherever your staff may be based, make sure you keep these practical issues under review to try and stay ahead of any potential threats.
If you have any concerns about the data protection implications of hybrid working, then we are here to help. Please contact Emma Collins or another member of our Commercial team.
