The Challenges of Hybrid Working: Maintaining Data Security

The Challenges of Hybrid Working: Maintaining Data Security

COVID-19 created unprecedented operational and security challenges for businesses globally across multiple sectors.

Adjustments to the normal working day, whether through a remote working or hybrid working model, are presenting very real risks to the security of data within your organisation.

It all started in March 2020, when severe lockdown measures changed working practices overnight and forced businesses into remote working with little to no preparation.

There was little time to consider potential vulnerabilities of personal data within an organisation – indeed, a survey has estimated that pre-lockdown only 11% of businesses had the facility to work remotely at all!

The ICO states: “….. staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.”

Hybrid Risk Assessment

To understand what vulnerabilities may be prevalent in operating a hybrid working model, ask your employees:

  • Is there anyone else in your household present or working from home?
  • Do you have secure storage for work devices/paper records?
  • How do you transport any personal data to and from the office?
  • Do you use free or public WiFi?
  • What do you do with documents once you have finished with them?
  • How are you disposing of them?
  • Have you had data protection and cyber security training?

Vulnerabilities Of Hybrid Working

No Remote Working & Data Security Policy

Working at home should not be an excuse to implement less stringent security measures that you would otherwise have in place at the office. Make sure you have all the correct policies and procedures in place and that all staff are trained on those.

Failure To Encrypt Devices

One of the most effective methods for protecting your work or personal device is encryption, so it is a good idea to check with your IT support that your device is encrypted and activated.

All employees should know who to contact if the device is lost or stolen, particularly outside of business hours – this is usually the IT manager or Data Protection Lead. Such information should be stipulated in your company’s Remote Working and Data Security policies, as well as its Data Breach Crisis Management Plan.

Unsecure Or Public WIFI

Cyber criminals are becoming more and more sophisticated about taking advantage of people’s and businesses’ vulnerabilities.

Many free or public WiFi networks can easily be hacked by criminals, so when out and about, use a secure network such as a Virtual Private Network (VPN).

For example, Network Rail recently confirmed that one of its free WiFi hotspot providers suffered a personal data breach that resulted in the email addresses and travel details of about 10,000 people being leaked online.

In addition, check the security of your own home WiFi. If the password is the same as the day it was installed, you should change it.

Physical Document Storage

GDPR requires the enaction of appropriate measures to secure manual records and personal data to avoid the risk of data breach.

Paper records, files or notes should be secured away at the end of each day using either locked doors on home office space or in locked filing cabinets or storage units.

If any other individual, including a family member, is able to view such records it is deemed as unauthorised access to personal data and thus a breach of GDPR.

Consider also how documents are transported to and from the office? Are they secure? Kept in a car overnight? On a train? Visible papers?

Data Retention & Disposal

Your organisation should have a Data Retention & Disposal Policy in place which should outline the specified retention periods for each type of personal data you may be processing and lay down regular retention audits.

It is important to securely dispose of such personal paper records by using a desktop shredder or securely storing such paper records until you go back into the office and avail of the organisation’s secure disposal procedures i.e. a third party shredding contractor.

GDPR Training

GDPR training should be completed annually – and this really will be your best defence in mitigating against an ICO complaint. Take the opportunity to review all your current policies and procedures as part of an annual audit.


Awareness of the potential vulnerabilities of personal data within your organisation will enable you to address the risks and put effective protection measures in place while operating a hybrid working model.

You might also like

man working from home office
read more
The Challenges of Hybrid Working: Maintaining Data Security More

COVID-19 created unprecedented operational and security challenges for businesses globally across multiple sectors...

Explaining the legal requirements
read more
Explaining the Legal Requirements for GDPR Consent in the UK More

The UK General Data Protection Regulation (GDPR) is designed to protect the personal data of individuals in the United Kingdom...

Pexels august de richelieu 4427819
read more
The Art of Strategic Networking in Legal Marketing More

Networking is essential in the legal industry, and it is an art that requires skill, patience, and dedication. Effective networking can help...