COVID 19: Keeping your company’s data safe
Posted on 7 Apr 2020
If you had walked into the flagship Apple Store on Regent Street in central London two days before the government lockdown, you would have found out that as of 11.30 am every MacBook on the premises had been sold, with the next shipment not due until later that afternoon. It now seems the reason behind this was business owners wanting to furnish their staff with equipment for working from home, at very short notice, causing a strain on Apple’s stock and supply chain.
The COVID-19 pandemic represents a huge change to many aspects of our lives, and this includes our careers. For some, notably those working in brick and mortar businesses, it sadly may mean a loss of jobs or a switch to furlough employment status; for the more fortunate, it means a switch to remote working. As a result of this now primarily remote workforce, this period may also prove to be a turning point in our entire approach to privacy and personal data protection.
Critically, remote working does not change anything regarding your company’s data protection requirements as under the General Data Protection Regulation (“GDPR”) they remain applicable regardless of the time of day or the location of staff. Therefore, the provision of tools necessary to comply with the still ongoing regulatory requirements is a major consideration, not simply shiny new laptops!
Principle VI contained in the GDPR requires that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures. Lack of such measures may lead to data breaches within the office environment and are even more pertinent whilst employees work from home. This, in turn, may bring about an investigation by the Information Commissioners Office (the ICO), the UK Supervisory Authority.
As the ICO’s enforcement actions show, the most common data breaches during remote working relate to the loss and unlawful disclosure of personal data. The ICO emphasises that both physical and digital deficiencies to the security of personal data may lead to equally hefty fines; as an example a local council which was fined GBP 70,000 by the ICO for not ensuring appropriate safeguards after an employee left physical files containing personal data on a train. With this specific example in mind, it is not difficult to imagine a scenario where personal data of investors, employees or stakeholders is exposed to risks due to the use of an employee’s personal device which does not have the same level of security as work machines; for example, working on personal machines which are not managed by corporate IT policies and may not have the required safeguards such as rules on communications that could be a potential source of an information leak, or something as simple as an out of date anti-virus. This is further compounded if staff are signing into a VPN to use the office shared drive on a personal machine as that can give malware or spyware on their personal machine acesss and infect the whole system.
On face value all the above happens due to human error; however, as can be seen from ICO’s enforcement decisions, human error is being traced back to the failures of companies who have not equipped their employees with the tools necessary to protect personal data as it is processed.
Organisational measures should follow the principles of Data Protection by Design and by Default. They must be complemented by the appropriate security measures and properly followed, which requires ensuring awareness amongst all members of staff. A combination of policies and procedures, appropriate IT systems and training allows companies to securely conduct the processing of personal data.
It is absolutely crucial that organisations remind their employees of cybersecurity hygiene, to keep their devices (either personal or work ones) updated, and also not to work in places where their screens can be easily viewed by others, for example by residential co-inhabitants.
It is also important to ensure that, if you are operating within the scope of the GDPR, your employees are all in the EEA or in a country that has been granted adequacy status by the European Commission, as otherwise accessing personal data by an employee will constitute an international data transfer, which has its own regulatory consequences and ought to be addressed in your firm’s policies and procedures. For the same reason, a firm ought to know within which jurisdiction their remote servers are located.
Laven and Data Protection
As working from home seems to be the norm for at least the near future, Laven can help with securing the appropriate compliance infrastructure to protect your organisation from risks to personal data associated with remote working.
Get in touch via: