Data Protection Challenges of Remote Working

allie-H9LS95WL8tM-unsplash

In March 2020, businesses found themselves having to quickly adapt to managing a remote workforce. The IT department felt the pressure to create the infrastructure to enable this and information security teams looked for ways to effectively monitor the network in the new world. Remote working brings with it a number of data protection and privacy challenges.  

Challenge One – People

The number one cause for personal data breaches is people. It only takes a momentary lack of concentration for a senior manager to send the salaries and sickness leave details of their entire team to external clients by email or a very busy CEO to leave their laptop on a train. 

There will always be an element of risk to handling personal data, but the acknowledgement of this with mitigation and management can drastically reduce the risk of a large-scale reportable data breach. 

Understanding the following can all assist with the risk management strategy of an organisation:

  • How the workforce usually operate in the office versus how people may have to setup their working environment at home
  • How their emotions and mental health may be affected during these difficult times and how this could impact their working 
  • What employees need to retain some form of ‘normality’ for their remote working

Challenge Two – Technology

Many employees now work on laptops and some office workers are used to the occasional day working – from home. When this becomes a full-time arrangement for a large number of staff all at once, the technology supplied to employees is put to the test to withstand the almost instantaneous move to remote working.

Applications

Managing data appropriately and knowing what data is where, makes governance of risk far easier for those working in the field of cyber security as it is often only once something goes wrong that the unknown ways of working come to light!

Whilst working at home, it is far more tempting for employees to use personal devices, removable storage devices or their own personal drives to access data when easy access to what they need is restricted. Remote access to commonly used applications for the workforce, allows for data to be retained in applications already approved by the organisation for visibility and reduces the risk of additional copies of data being generated or used inappropriately by staff. 

Video Conferencing

Lockdown led a number of individuals to download video conferencing applications to keep in touch with family and friends. For some businesses, the use of video conferencing was not an option prior to March, but now most meetings occur across Teams, Skype or Zoom. The use of video conferencing brings with it many additional risks for a business and the security team must be satisfied that the exchanges within the application are protected by the required company standard. 

The press has reported on several cases of “Zoom Bombing” whereby third parties invade organised meetings and cause disruption. The unwelcome guests have been reported to have shared distressing images or displayed inappropriate language to all attendees, some of which have led to police investigations.

Email

Email traffic over the past twelve weeks has inevitably risen for all businesses as workers seek to connect with their colleagues. The amount of data being generated and shared has understandably increased and organisations need to consider this risk over the coming months as business approaches adapt to the new normal. 

Inboxes tend to be the hardest data records to effectively manage. Ultimately the user needs to take ownership of the issue. Phishing emails are also one of the most common methods a hacker uses to hack a system and therefore it is imperative users know what to look out for and how to report potential threats. 

Awareness campaigns and an active push from managers for their staff to review their inboxes and ‘purge’ what they no longer need are good ideas.

Challenge Three – Paper

Some organisations still rely heavily on paper printouts to run their operations.
With individuals now working from home, there needs to be a greater awareness amongst staff around how to appropriately handle paper records and most importantly, how to securely destroy them. 

Where employees need to printout records, they should be advised how to manage these at home whilst the phase return to offices continues.

Challenge Four – Data Sharing

Without the option of walking over to someone’s desk to ask a question, people are using email and other communications platforms to deal with queries and share documents. 

Data sharing can test the principle of data minimisation as human nature often leads people to share far more than is required for the purpose. Engaging with employees and reminding them of how they must take the time to anonymise data where possible, or remove the excess columns from a spreadsheet before sending it, could prove useful in combatting the problem.  

A recent example of where email communications can go horribly wrong, is that of the disclosure of abuse survival victims details whereby the sender of the monthly newsletter failed to anonymise the data of the victims before pressing send.  

One way to manage and control the sharing within an organisation is to ensure the data protection policy has clear guidelines around company approved data sharing platforms. The key to keeping data sharing under control is to make the preferred method easy! If too much effort is required with granting external access to a sharing portal, uploading documents with passwords and then having to send links, people will stray and resort to the easier method of email attachments. 

Handy Tips

So as staff begin to return to work, here are some more practical tips to protect personal data:

  1. Engage with staff to gain an understanding of how their ways of working have changed and what difficulties they are facing with data management.
  2. Ensure that the company policies around remote working, data protection and information security are up-to-date and accessible to all.
  3. Offer a remote IT helpdesk service for employees who are having difficulties operating their hardware or software from home to prevent them using their own devices to work on.
  4. Ensure staff are installing software updates onto their work devices.
  5. Raise awareness of phishing emails and remind staff how to report them safely.
  6. Secure cloud storage solutions should be in place and staff should know how to use them. 
  7. Communicate the data breach or incident management procedure to staff.
  8. Account for any additional processing that has been required to take place over the past few months in the Record of Processing Activities.

Samantha Smith is a Data Protection Manager and qualified Solicitor with experience of data protection compliance projects across both public and private sectors. 

Our GDPR Essentials E learning course is designed to teach frontline staff essential GDPR knowledge in an engaging, fun and interactive way. In just over 30 minutes staff will learn about the key provisions of GDPR and how to keep personal data safe.

Ibrahim Hasan on the BBC

image1

The last week has been really busy day for our managing director and data protection expert, Ibrahim Hasan, with a frenzy of media interviews. Well not quite a “frenzy” but three is a start!

Ibrahim was first interviewed on BBC Radio 5 live’s Drive programme by Anna Foster.
He spoke about the rules requiring restaurants and pubs to keep contact details of customers and the GDPR/DPA consequences if things go wrong. He emphasised the important of business owners complying with data protection laws and educating their staff on their responsibilities.

You can listen again here (14.35 onwards). More on customer contact tracing data in our blog.

Later in the day, Ibrahim had his first live television interview which was broadcast on BBC News 24 and BBC News Worldwide. He was asked about the new NHS Contact Tracing App and the privacy implications. He also talked about the consequences of misusing personal data. We are waiting to receive the recording of this interview. In the meantime you can read the feedback on our social media channels (LinkedIn and Twitter). You can also read more about the previous version of the NHS contact Tracing App in our blog.

Finally, on 18th September, Ibrahim appeared on BBC Radio Berkshire to talk about the same issue. This followed a lady who was contacted by a bus driver for a date using her T and T details! 

You can listen here (from 1.26.26):  https://www.bbc.co.uk/sounds/play/p08pt1fd

These and other GDPR developments will be discussed in detail by Ibrahim in our online GDPR update workshop next week.

The Brexit Trade Deal: Implications for Data Protection and International Transfers

cytonn-photography-n95VMLxqM2I-unsplash

December 2020 Update: This post was originally titled “Brexit, Trade Deals and GDPR: What happens next?’ and published in September 2020. It was updated on 26th December 2020.


So finally the UK has completed a trade deal with the EU which, subject to formal approval by both sides, will come into force on 1st January 2021. The full agreement has now been published and answers a question troubling data protection officers and lawyers alike.

Internation Transfers

On 1st January 2021, the UK was due to become a third country for the purposes of international data transfers under the EU GDPR. This meant that the lawful transfer of personal data from the EU into the UK without additional safeguards (standard contractual clauses etc) being required would only have been possible if the UK achieved adequacy status and joined a list of 12 countries. This was proving increasingly unlikely before the deadline and would have caused major headaches for international businesses.

The problem has been solved albeit temporarily. Page 406 and 407 of the UK-EU Trade and Cooperation Agreement contains provisions entitled, “Interim provision for transmission of personal data to the United Kingdom.” This allows the current transitional arrangement to continue i.e. personal data can continue to flow from the EU (plus Norway, Liechtenstein and Iceland) to the UK for four months, extendable to six months, as long as the UK makes no major changes to its data protection laws (see UK GDPR below). This gives time for the EU Commission to consider making an adequacy decision in respect of the UK, which could cut short the above period. Will the UK achieve adequacy during these 4-6 months? Whilst there is much for the EU to consider in such a short time, I suspect that pragmatism and economic factors will swing the decision in the UK’s favour.

The UK GDPR

Despite the last minute trade deal, on 1st January 2021 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will still come fully into force. These regulations will amend GDPR and retitle it as “UK GDPR”. The amendments are essentially a tidying up exercise. The UK GDPR also deals with post Brexit international data transfers from the UK. More here.

These and other GDPR developments will be discussed in detail in our online GDPR update workshop. 

Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our  GDPR  Essentials  e  learning course can help you do this in less than 45 minutes. 

%d bloggers like this: