What are the issues surrounding GDPR when employees are working from home?

October 28, 2020

In the first of our new series of interviews with industry experts, we speak to Daniel Keating, Senior Associate at CMS Cameron McKenna Nabarro Olswang LLP about the importance of GDPR for employees working from home.

Given the recent announcements from the Government, which is having a significant impact on the process of re-opening offices and premises, for many of us there is still likely to be an extended period of working from home. Even when offices can fully re-open, it is likely that there will be a significant number of people who choose to adopt their new working patterns as the norm and continue to work from home, or do so for at least a couple of days a week. Businesses will need to ensure that they have appropriate measures in place to facilitate this change or risk losing key employees to competitors.

There are many issues for employers to think about in relation to home working such as their statutory duties to protect the health, safety and welfare of their employees, including those who work from home. In addition, employers are required to carry out a risk assessment to identify any hazards relating to the work done by homeworkers and to take steps to remove them or, where this is not reasonably practicable, to minimise them.

Businesses will also need to consider that in these very difficult times the last thing that a business can afford to have to deal with is the fallout from breaches of the GDPR and potential regulatory action. This could cause yet further economic and reputational damage to your organisation, not to mention further harm to the individuals whose data is compromised. Therefore, it is essential that businesses and organisations, together with their staff and employees, continue to maintain high standards of data protection compliance across all areas and locations.

Homeworking will very likely result in increased data protection and security risks, particularly for organisations that are not readily set up for staff to work remotely. Increased risks could arise in a number of areas:

Shortcuts may have been taken in relation to supplier due diligence, data processing agreements and safeguards for international data transfers, meaning that if a data breach happens supplier-side the customer organisation may not be as well protected as it could be.

Users / clients may not have been informed that their personal data will be processed using these tools (in line with the organisation’s transparency obligations under the GDPR).

What can companies do to mitigate those risks?

In terms of specific action points that businesses can take immediately, they should take the following steps:

What happens if you don’t do anything?

Businesses that implement measures, such as those detailed above, will be far better placed to avoid breaching their obligations pursuant to the GDPR. Businesses and their staff will be alive to and be able to spot possible threats far more quickly and easily and this could make all the difference between an issue being resolved easily instead of becoming a serious incident.

It is also important to remember that no matter how many measures you put in place mistakes and personal data breaches will happen. However, for those businesses that have good data protection practices and have properly trained their staff, they will be able identify these quickly and crucially will know what steps need to be taken to minimise any damage to individuals and their business.

Further, in the event of any regulatory action (for example by the ICO), if you can show that you have taken steps to ensure that all appropriate technical, organisational and security measures have been put in place and that you keep the same under review then this will greatly assist when dealing with and responding to any investigation and may even go a long way to minimising any enforcement action against you.

What’s the best piece of advice you could give to a business with regard to this matter?

Don’t look at the issue of data protection and your obligations under the GDPR as something that is a hindrance to your business and as something that you only consider when you have to. Instead, look at it as an opportunity to ensure that your business operates in an efficient and secure way and is one that clients and consumers can have confidence in and are happy to provide their personal data to as they know it will not be used inappropriately and will be held securely. It is no surprise that more and more businesses and organisations are now using their data protection credentials to enhance their reputation and create another effective marketing tool to attract business with.

Finally, it is important to remember that, whilst your organisation is having to grapple with new ways of working, it is “business as usual” for opportunistic hackers or malicious actors. Make sure that your staff are aware of this, the need to be extra vigilant and that you have a data breach policy that everyone is aware of.