With technological advances many businesses have been able to work remotely, and lots have reported profits due to their ability to adapt and overcome the challenges presented by COVID. During the lockdowns many businesses incorporated online video platforms such as Zoom, Microsoft Teams and Google Meet into their day-to-day business. As the country starts to re-open, lots of businesses are still carrying on with remote practices, and many more wish to adopt a hybrid approach to staff working remotely and in the office. As such, data is becoming more widely used and shared outside of a traditional office environment. It is important therefore that businesses ensure they remain compliant with data protection obligations and update their policies and procedures to reflect new ways of working.
Employers have two main options when it comes to letting their employees work remotely. Option one is to provide company owned devices for everyone and option two is to allow staff to use their own devices. Each have pros and cons from a data protection perspective.
Company Provided Devices
This option is inherently more expensive, however, in terms of data handling this is the most secure. You must ensure that you have mechanisms in place to prevent sensitive data from being extracted from a device. This may be through software being installed on the device, encryption or through internal policies and training given to staff, or a combination of both. You must also ensure that you set clear guidelines on what the device can and cannot be used for. This not only ensures longevity of the device but reduces the risk of data breaches. You should also consider secure methods to send and receive data between your organisation, which is considered more below. Firewalls and insurance will be increasingly important.
Staff’s Own Devices
Whilst this option can be cheaper it also presents the most data risks. Staff should not be able to move company data onto their own personal storage or on to a separate unregistered device, such as a laptop that an employer is not aware of and does not have control over. Employers must also have policies/contracts in place that cover the costs of repair, usage etc. Employers must be strict on internal policies and have plans for security/data compromise. Out of date software can give rise to security breaches and it is therefore fundamental that staff’s devices are constantly updated, and firewalls and cybersecurity systems installed. You should remember that family members may also have access to these devices even though they should not have access to the sensitive data of the company and they may fall outside of your business insurance or IT support contracts. Personal devices will also be used in a much wider capacity so have more chance of being lost and stolen. Clear policies, procedures and use of technology like cloud storage and encryption software, can ensure complicity.
Companies will need to consider cloud storage or remote VPN access to allow staff to access data away from the office and also to securely store new documents/data from home in a system accessible, protected and owned by the business. This will also help staff from using their own personal storage and reduce the risk of any data leaks/breaches. When deciding on how and where your data is stored it is important to fully understand where it is actually being held and whether it falls outside the UK and EU. It is important to remember to include your cloud storage when mapping out the way the business uses and transfers any data and to check where the servers are actually based, as this is often outside of the UK and EU and, therefore, subject to more stringent data protection requirements. More accessible systems such as a VPN access to a business owned server in the UK should also be considered.
As always, it will be important to ensure clear policies and procedures are in place. Restricting access to only those folders and information required by the employee will help; making password changes regularly; training and verification processes will become even more important.
With more staff working from home there will be an increase in methods of online communication, be this instant messaging services, video conferencing or emails. Whilst there are various methods and software that can be implemented it is important that staff only use corporate email solutions i.e., ones that the employer implements and provides. Staff should be given guidance to stay away from other means of communication, including personal email accounts, when distributing information to reduce the risk of a data breach.
In terms of strategy, when implementing any third-party software, it is important to ensure that such software is compatible with your data protection obligations. The Hamburg Data Protection Commissioner have recently issued warnings that Zoom may not be compatible with GDPR given data is transferred to the United States and the safeguards it has in place, it remains to be seen how Zoom will react. What is important internally is to regularly monitor and update your data protection policies and privacy policies. Include use of new technologies such as video conferencing, ensuring you regularly update your data mapping and put in place suitable and effective measures to limit the risk of data breaches. This means that you have to ensure you have clear procedures, policies (such as data retention and privacy polices) and guidance/training for staff. It is paramount to have clear channels for any staff to report breaches, to allow swift rectification of the issue.
As a rule of thumb, staff should have advice on strong passwords and other online protections; clear policies setting out their obligations; and a streamlined process to report any breaches.