With home and hybrid working now common, the Information Commissioner’s Office has published their top tips for maintaining compliance with GDPR.
In April 2020, the Information Commissioner’s Office (ICO) signalled that it would consider the sudden and unforeseeable move towards home working when deciding whether enforcement action was appropriate under GDPR.
More than two years on, the number of people both home and hybrid working is set to remain well above pre-pandemic levels. However, the ICO considers that employers have had more than sufficient time to revisit procedures and update technology to enable them to protect the information they are responsible for when their staff work from home. Now, they have published their top tips for ensuring that home working does not compromise data protection.
The key takeaways for employers are to ensure that:
Home workers only use approved technology
Only approved devices should be used to access work-related documents and emails. Devices should be password protected and encrypted, and antivirus and antimalware software should be kept up to date. Note that downloading email or messenger apps on personal devices to conduct work may be considered a breach of GDPR if confidential information is accessed.
Communication is secure
Even the simplest of considerations are crucial. Avoid setting up a home office so that your screen faces the window and can be seen by passers-by. And if you leave your desk during the day, close down your device(s).
Working from home can also mean working in close proximity to family members and others. Hold conversations and meetings where you cannot be overheard and position your screen where it cannot be seen by those passing by.
All staff receive ongoing training
GDPR triggered the creation of policies, procedures and guidance to ensure compliance. Reviewing and updating these on a regular basis is essential and a continuing programme of staff training should form part of that process. There should also be clear lines of communication for staff to ask questions and report any concerns.
Employers should keep their cybersecurity framework under review, including adapting it to cover home working.
Care is taken of hard copies
Printouts can prove a real weakness in terms of data protection in any environment. However, it’s a particular concern with home workers who are less likely to have access to confidential waste bins and secure storage. If printing at home is permitted, consider mini confidential waste bins and remote collection. While this can prove expensive, the cost pales into insignificance compared to the level of fines for a data breach!
Also, remember that care should be taken with handwritten notes which contain confidential information.
Downloads are avoided
Downloading documents or files online comes with a range of risks. The website may not be secure, meaning hackers could gain access to your network and therefore your confidential information. Also, downloading files directly to your device means that information is now stored there. If the device is lost or stolen, the information is then at risk. Where at all possible, data should be accessed remotely through a shared document system or intranet.