Before COVID-19, working from home was reserved for those who were unable to get into the office and staff in this position were set up securely with a company-issued laptop and access to a VPN. GDPR policies for working from home were drafted to demonstrate how data should be accessed as part of the company data protection framework.
But when lockdown was announced in March, many small businesses were unprepared and forced to act quickly to ensure staff could work remotely. Few small business owners considered the impact this could have on their GDPR obligations – as personal data was now being accessed outside the office environment, where few controls were in place and little specific data protection training had been offered. This massively increased the risk of data breaches across the operation.
We’ve listed some practical GDPR tips that small businesses can use to minimise the risk of data breaches due to remote working. This list will help you, as data controllers ensure appropriate security measures are in place to protect the personal data you process.
-
- If an employee is using their personal laptop (not a company-issued device), how do you know the latest security patches are installed? Not having the latest patches could mean the device is open to hacking or viruses that compromise the personal data being processed on it – very often you won’t even know the machine has been compromised until it is too late.
- If a personal laptop is used temporarily until a company-issued device can be provided, then make sure all personal data for which the company is the data controller is deleted – having copies of personal data on personal laptops constitutes a data breach which must be recorded internally – and could be reportable. If so, you have 72 hours.
- If working from home, the chances are you’ll be accessing the office server. Your home wifi may be less secure than the office IT environment, so we suggest using a VPN – virtual private network – to access the server. The VPN will hide your connection from potential hackers monitoring wifi signals outside. This will mean you can safely transfer personal data from the office server.
- Will you be printing documents at home? In the office you have filing cabinets that should be locked when not in use – but printing copies of personal data and leaving on a table at home could mean they are viewed by other people in the property, or thrown away by accident – insecurely destroyed. Think about what you are printing out and where you file it.. are you able to shred it when you’re finished?
- Review your GDPR efforts to date. Your data protection policies should be reviewed regularly anyway, but with such an increase in remote working, consider drafting a specific GDPR working from home policy which should be circulated to all staff.
We understand there are many things to consider when setting staff up to work from home – and it is expected to become more popular, with employers obliged to allow it where possible. PRIVACY HELPER is here to offer GDPR support to small businesses – we’re on hand to answer any questions you may have relating to data protection and the security of personal data – and even offer a low-cost monthly GDPR support package. PRIVACY HELPER would normally recommend a GDPR audit to ascertain the where and how data is handled in your business.
GDPR Helpine for Small Businesses
Give us a call to discuss the challenges you’re facing in adapting to a working from home set up. Give us a call.