COVID-19 created unprecedented operational and security challenges for businesses globally across multiple sectors.
Adjustments to the normal working day, whether through a remote working or hybrid working model, are presenting very real risks to the security of data within your organisation.
It all started in March 2020, when severe lockdown measures changed working practices overnight and forced businesses into remote working with little to no preparation.
There was little time to consider potential vulnerabilities of personal data within an organisation – indeed, a survey has estimated that pre-lockdown only 11% of businesses had the facility to work remotely at all!
The ICO states: “….. staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.”
To understand what vulnerabilities may be prevalent in operating a hybrid working model, ask your employees:
No Remote Working & Data Security Policy
Working at home should not be an excuse to implement less stringent security measures that you would otherwise have in place at the office. Make sure you have all the correct policies and procedures in place and that all staff are trained on those.
Failure To Encrypt Devices
One of the most effective methods for protecting your work or personal device is encryption, so it is a good idea to check with your IT support that your device is encrypted and activated.
All employees should know who to contact if the device is lost or stolen, particularly outside of business hours – this is usually the IT manager or Data Protection Lead. Such information should be stipulated in your company’s Remote Working and Data Security policies, as well as its Data Breach Crisis Management Plan.
Unsecure Or Public WIFI
Cyber criminals are becoming more and more sophisticated about taking advantage of people’s and businesses’ vulnerabilities.
Many free or public WiFi networks can easily be hacked by criminals, so when out and about, use a secure network such as a Virtual Private Network (VPN).
For example, Network Rail recently confirmed that one of its free WiFi hotspot providers suffered a personal data breach that resulted in the email addresses and travel details of about 10,000 people being leaked online.
In addition, check the security of your own home WiFi. If the password is the same as the day it was installed, you should change it.
Physical Document Storage
GDPR requires the enaction of appropriate measures to secure manual records and personal data to avoid the risk of data breach.
Paper records, files or notes should be secured away at the end of each day using either locked doors on home office space or in locked filing cabinets or storage units.
If any other individual, including a family member, is able to view such records it is deemed as unauthorised access to personal data and thus a breach of GDPR.
Consider also how documents are transported to and from the office? Are they secure? Kept in a car overnight? On a train? Visible papers?
Data Retention & Disposal
Your organisation should have a Data Retention & Disposal Policy in place which should outline the specified retention periods for each type of personal data you may be processing and lay down regular retention audits.
It is important to securely dispose of such personal paper records by using a desktop shredder or securely storing such paper records until you go back into the office and avail of the organisation’s secure disposal procedures i.e. a third party shredding contractor.
GDPR Training
GDPR training should be completed annually – and this really will be your best defence in mitigating against an ICO complaint. Take the opportunity to review all your current policies and procedures as part of an annual audit.
Conclusion
Awareness of the potential vulnerabilities of personal data within your organisation will enable you to address the risks and put effective protection measures in place while operating a hybrid working model.
Companies must adhere to stringent data protection regulations to protect their staff and customers while avoiding fines...
Briefed launches Honesty Box Initiative, delivering expert training and advice from barristers at a price charities...
Phishing scams, a long-standing issue that many people are familiar with, have become even more dangerous and prevalent in today’s technology-driven world...