In March 2020, businesses found themselves having to quickly adapt to managing a remote workforce. The IT department felt the pressure to create the infrastructure to enable this and information security teams looked for ways to effectively monitor the network in the new world. Remote working brings with it a number of data protection and privacy challenges.
Challenge One – People
The number one cause for personal data breaches is people. It only takes a momentary lack of concentration for a senior manager to send the salaries and sickness leave details of their entire team to external clients by email or a very busy CEO to leave their laptop on a train.
There will always be an element of risk to handling personal data, but the acknowledgement of this with mitigation and management can drastically reduce the risk of a large-scale reportable data breach.
Understanding the following can all assist with the risk management strategy of an organisation:
- How the workforce usually operate in the office versus how people may have to setup their working environment at home
- How their emotions and mental health may be affected during these difficult times and how this could impact their working
- What employees need to retain some form of ‘normality’ for their remote working
Challenge Two – Technology
Many employees now work on laptops and some office workers are used to the occasional day working – from home. When this becomes a full-time arrangement for a large number of staff all at once, the technology supplied to employees is put to the test to withstand the almost instantaneous move to remote working.
Managing data appropriately and knowing what data is where, makes governance of risk far easier for those working in the field of cyber security as it is often only once something goes wrong that the unknown ways of working come to light!
Whilst working at home, it is far more tempting for employees to use personal devices, removable storage devices or their own personal drives to access data when easy access to what they need is restricted. Remote access to commonly used applications for the workforce, allows for data to be retained in applications already approved by the organisation for visibility and reduces the risk of additional copies of data being generated or used inappropriately by staff.
Lockdown led a number of individuals to download video conferencing applications to keep in touch with family and friends. For some businesses, the use of video conferencing was not an option prior to March, but now most meetings occur across Teams, Skype or Zoom. The use of video conferencing brings with it many additional risks for a business and the security team must be satisfied that the exchanges within the application are protected by the required company standard.
The press has reported on several cases of “Zoom Bombing” whereby third parties invade organised meetings and cause disruption. The unwelcome guests have been reported to have shared distressing images or displayed inappropriate language to all attendees, some of which have led to police investigations.
Email traffic over the past twelve weeks has inevitably risen for all businesses as workers seek to connect with their colleagues. The amount of data being generated and shared has understandably increased and organisations need to consider this risk over the coming months as business approaches adapt to the new normal.
Inboxes tend to be the hardest data records to effectively manage. Ultimately the user needs to take ownership of the issue. Phishing emails are also one of the most common methods a hacker uses to hack a system and therefore it is imperative users know what to look out for and how to report potential threats.
Awareness campaigns and an active push from managers for their staff to review their inboxes and ‘purge’ what they no longer need are good ideas.
Challenge Three – Paper
Some organisations still rely heavily on paper printouts to run their operations.
With individuals now working from home, there needs to be a greater awareness amongst staff around how to appropriately handle paper records and most importantly, how to securely destroy them.
Where employees need to printout records, they should be advised how to manage these at home whilst the phase return to offices continues.
Challenge Four – Data Sharing
Without the option of walking over to someone’s desk to ask a question, people are using email and other communications platforms to deal with queries and share documents.
Data sharing can test the principle of data minimisation as human nature often leads people to share far more than is required for the purpose. Engaging with employees and reminding them of how they must take the time to anonymise data where possible, or remove the excess columns from a spreadsheet before sending it, could prove useful in combatting the problem.
A recent example of where email communications can go horribly wrong, is that of the disclosure of abuse survival victims details whereby the sender of the monthly newsletter failed to anonymise the data of the victims before pressing send.
One way to manage and control the sharing within an organisation is to ensure the data protection policy has clear guidelines around company approved data sharing platforms. The key to keeping data sharing under control is to make the preferred method easy! If too much effort is required with granting external access to a sharing portal, uploading documents with passwords and then having to send links, people will stray and resort to the easier method of email attachments.
So as staff begin to return to work, here are some more practical tips to protect personal data:
- Engage with staff to gain an understanding of how their ways of working have changed and what difficulties they are facing with data management.
- Ensure that the company policies around remote working, data protection and information security are up-to-date and accessible to all.
- Offer a remote IT helpdesk service for employees who are having difficulties operating their hardware or software from home to prevent them using their own devices to work on.
- Ensure staff are installing software updates onto their work devices.
- Raise awareness of phishing emails and remind staff how to report them safely.
- Secure cloud storage solutions should be in place and staff should know how to use them.
- Communicate the data breach or incident management procedure to staff.
- Account for any additional processing that has been required to take place over the past few months in the Record of Processing Activities.
Samantha Smith is a Data Protection Manager and qualified Solicitor with experience of data protection compliance projects across both public and private sectors.
Our GDPR Essentials E learning course is designed to teach frontline staff essential GDPR knowledge in an engaging, fun and interactive way. In just over 30 minutes staff will learn about the key provisions of GDPR and how to keep personal data safe.