The adoption of wide scale homeworking has brought with it new risks around data protection. Organisations must be alert to the risks and take steps to ensure they remain data protection compliant.
What are the risks?
- Poor data security: Organisations must ensure that they implement appropriate technical and organisational measures to address the particular security risks that may arise in a home working environment. The key focus areas include maintaining the confidentiality of data, maintaining complete, up to date and accurate data records and ensuring access to data when needed.
- Erosion of good data housekeeping: Established procedures to meet core obligations around data retention and accuracy may be forgotten, or simply not work, in a home working situation. This can result in a breach of the data protection principles as well as causing difficulties when dealing with data subject rights requests and breach management.
- Managing data subject rights requests: The decentralisation of data due to staff using their own devices, holding hard copy files at home or storing electronic documents away from centralised systems can pose significant challenges to an organisation’s ability to quickly and accurately collate relevant data records in response to requests.
- Underreporting of data breaches: Staff may be less alert to a data breach whilst homeworking and/or less likely to report a breach internally due to reduced perception of risk or fear of repercussions. This can have significant repercussions for an organisation’s ability to effectively manage breaches and meet statutory reporting deadlines.
- Outdated accountability measures: Policies and documents recording how organisations comply with their data protection obligations may no longer reflect the new reality of the homeworking environment.
How can you mitigate these risks?
- Make use of knowledge and resources: Use the guidance on the ICO website and the National Cyber Security Centre website. Ensure best use is made of internal resources within your business (e.g. IT team, data compliance team) and consider filling any gaps with trusted external providers.
- Do a Data Protection Impact Assessment (DPIA): use the ICO’s template DPIA to identify specific risks arising from home working arrangements and decide what technical or organisational measures can be used to address them.
- Update policies and procedures: relevant policies to review and update will include bring your own device (BYOD), remote working and IT security policies and procedures for managing rights requests and data breaches should also be considered. If new data processing activities have been introduced (e.g. to monitor staff activity when home working) privacy policies will also require updating).
- Communicate: provide short, regular updates to keep staff up to date with changes to policies, procedures and technologies. Ensure staff are aware that rights requests and breaches must be reported immediately and who these are to be reported to.
- Make appropriate IT support available: Ensure your IT support is on hand to assist staff navigate their new way of working. This will help staff comply with the IT and data security measures you put in place to maintain your data protection compliance.