In the first of our new series of interviews with industry experts, we speak to Daniel Keating, Senior Associate at CMS Cameron McKenna Nabarro Olswang LLP about the importance of GDPR for employees working from home.
Given the recent announcements from the Government, which is having a significant impact on the process of re-opening offices and premises, for many of us there is still likely to be an extended period of working from home. Even when offices can fully re-open, it is likely that there will be a significant number of people who choose to adopt their new working patterns as the norm and continue to work from home, or do so for at least a couple of days a week. Businesses will need to ensure that they have appropriate measures in place to facilitate this change or risk losing key employees to competitors.
There are many issues for employers to think about in relation to home working such as their statutory duties to protect the health, safety and welfare of their employees, including those who work from home. In addition, employers are required to carry out a risk assessment to identify any hazards relating to the work done by homeworkers and to take steps to remove them or, where this is not reasonably practicable, to minimise them.
Businesses will also need to consider that in these very difficult times the last thing that a business can afford to have to deal with is the fallout from breaches of the GDPR and potential regulatory action. This could cause yet further economic and reputational damage to your organisation, not to mention further harm to the individuals whose data is compromised. Therefore, it is essential that businesses and organisations, together with their staff and employees, continue to maintain high standards of data protection compliance across all areas and locations.
Homeworking will very likely result in increased data protection and security risks, particularly for organisations that are not readily set up for staff to work remotely. Increased risks could arise in a number of areas:
- Hackers or malicious actors – Taking advantage of the current situation to release phishing scams, viruses, malware or ransomware knowing that an organisations’ systems or an employee’s personal device used to work remotely may be more vulnerable.
- Infrastructure security – Where staff access is not managed properly using measures such as VPN / secure gateway access and dual authentication.
- Personal data – The processes for transferring personal data from the office to home – e.g. staff using removable media, emailing work to personal email accounts, or printing sensitive work-related materials on unsecured personal printers.
- Home networks – Lack of control and likelihood of weaker protocols on employees’ home networks.
- Software / platforms – Remote users may need to use different software or unfamiliar platforms in a different way to normal.
- Device loss / theft – An increased risk of staff losing or having their devices stolen whilst they are away from the office.
- Remote working systems – Use of new remote working systems, such as collaboration tools, for example:
Shortcuts may have been taken in relation to supplier due diligence, data processing agreements and safeguards for international data transfers, meaning that if a data breach happens supplier-side the customer organisation may not be as well protected as it could be.
Users / clients may not have been informed that their personal data will be processed using these tools (in line with the organisation’s transparency obligations under the GDPR).
What can companies do to mitigate those risks?
In terms of specific action points that businesses can take immediately, they should take the following steps:
- Ensure strong passwords are set for user accounts with two-factor authentication (2FA).
- Ensure that devices encrypt data on devices when at rest.
- Use mobile device management (MDM) software to set up devices with a standard configuration to enable remote locking or erasure.
- Ensure that staff know how to report problems and understand how to keep software and devices up to date and that they apply all updates promptly.
- Make sure a virtual private network (VPN) is fully patched.
- Disable removable media using MDM settings.
- Use antivirus tools where appropriate. More generally, businesses will need to take measures such as:
- Business continuity plans – Invoking business continuity plans to ensure ongoing availability and resilience of systems required for the business to operate and ensuring that key stakeholders can effectively communicate with each other, the business and its customers / clients.
- Employee obligations – Reminding staff of their obligations regarding data protection and information security, in particular raising awareness of the extra vigilance needed to combat hackers or malicious actors.
- Security standards – Ensuring that high security standards are maintained in relation to any new systems and tools that are introduced to facilitate remote working.
- Security measures – Keeping security measures under constant review and where necessary updated to ensure that they remain appropriate and take account of the new working environment and associated risks – this will involve carrying out an updated risk analysis, reviewing organisational policies and procedures (or putting in place new ones where these do not exist), considering new physical and technical measures and any additional security requirements that may now need to be implemented. The business should consider whether any amendments to its emergency response plan are required in light of these changes.
- Data breach response plan – Having the organisation’s data breach response plan close to hand in case this needs to be invoked.
What happens if you don’t do anything?
Businesses that implement measures, such as those detailed above, will be far better placed to avoid breaching their obligations pursuant to the GDPR. Businesses and their staff will be alive to and be able to spot possible threats far more quickly and easily and this could make all the difference between an issue being resolved easily instead of becoming a serious incident.
It is also important to remember that no matter how many measures you put in place mistakes and personal data breaches will happen. However, for those businesses that have good data protection practices and have properly trained their staff, they will be able identify these quickly and crucially will know what steps need to be taken to minimise any damage to individuals and their business.
Further, in the event of any regulatory action (for example by the ICO), if you can show that you have taken steps to ensure that all appropriate technical, organisational and security measures have been put in place and that you keep the same under review then this will greatly assist when dealing with and responding to any investigation and may even go a long way to minimising any enforcement action against you.
What’s the best piece of advice you could give to a business with regard to this matter?
Don’t look at the issue of data protection and your obligations under the GDPR as something that is a hindrance to your business and as something that you only consider when you have to. Instead, look at it as an opportunity to ensure that your business operates in an efficient and secure way and is one that clients and consumers can have confidence in and are happy to provide their personal data to as they know it will not be used inappropriately and will be held securely. It is no surprise that more and more businesses and organisations are now using their data protection credentials to enhance their reputation and create another effective marketing tool to attract business with.
Finally, it is important to remember that, whilst your organisation is having to grapple with new ways of working, it is “business as usual” for opportunistic hackers or malicious actors. Make sure that your staff are aware of this, the need to be extra vigilant and that you have a data breach policy that everyone is aware of.