Fast forward to today and it is estimated that:

76% of businesses have opted for a hybrid working model

11% will go back to office full time

9% are fully remote

4% are undecided

The ICO states: “….. staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.”

Vulnerabilities Of Hybrid Working

No Remote Working & Data Security Policy

Working at home should not be an excuse to implement less stringent security measures that you would otherwise have in place at the office. Make sure you have all the correct policies and procedures in place and that all staff are trained on those.

Failure To Encrypt Devices

One of the most effective methods for protecting your work or personal device is encryption, so it is a good idea to check with your IT support that your device is encrypted and activated.

All employees should know who to contact if the device is lost or stolen, particularly outside of business hours – this is usually the IT manager or Data Protection Lead. Such information should be stipulated in your company’s Remote Working and Data Security policies, as well as its Data Breach Crisis Management Plan.

Unsecure Or Public WIFI

Cyber criminals are becoming more and more sophisticated about taking advantage of people’s and businesses’ vulnerabilities.

Many free or public WiFi networks can easily be hacked by criminals, so when out and about, use a secure network such as a Virtual Private Network (VPN).

For example, Network Rail recently confirmed that one of its free WiFi hotspot providers suffered a personal data breach that resulted in the email addresses and travel details of about 10,000 people being leaked online.

In addition, check the security of your own home WiFi. If the password is the same as the day it was installed, you should change it.

Physical Document Storage

GDPR requires the enaction of appropriate measures to secure manual records and personal data to avoid the risk of data breach.

Paper records, files or notes should be secured away at the end of each day using either locked doors on home office space or in locked filing cabinets or storage units.

If any other individual, including a family member, is able to view such records it is deemed as unauthorised access to personal data and thus a breach of GDPR.

Consider also how documents are transported to and from the office? Are they secure? Kept in a car overnight? On a train? Visible papers?

Data Retention & Disposal

Your organisation should have a Data Retention & Disposal Policy in place which should outline the specified retention periods for each type of personal data you may be processing and lay down regular retention audits.

It is important to securely dispose of such personal paper records by using a desktop shredder or securely storing such paper records until you go back into the office and avail of the organisation’s secure disposal procedures i.e. a third party shredding contractor.

GDPR Training

GDPR training should be completed annually – and this really will be your best defence in mitigating against an ICO complaint. Take the opportunity to review all your current policies and procedures as part of an annual audit.

Conclusion

Awareness of the potential vulnerabilities of personal data within your organisation will enable you to address the risks and put effective protection measures in place while operating a hybrid working model.