Oliver Rowe, managing director of Fusion Communications, explains how businesses can remain GDPR compliant as more employees adopt remote working.
The events of the pandemic have reshaped the way many of us work, with remote and flexible working becoming a new norm for many industries.
The Office for National Statistics reported an increase in remote working from 27% in 2019 compared with 37% in 2020, with nearly 24% of businesses planning to utilise working from home in the future. The Information and Communication industry made up the highest proportion of this figure at 49%.
Given this, data security and GDPR issues arising from client information being accessed from home or from personal devices have also become more commonplace. Here are some key points businesses should consider to ensure data security and GDPR compliance from remote workers.
GDPR and remote working
The General Data Protection Regulation (GDPR) is a legal framework that came into effect in May 2018, setting out guidelines for the collection and processing of personal information of EU residents. It mandates several data disclosures, including the provision of a timely disclosure in the event of a personal data breach.
Businesses that fail to comply can ultimately be fined up to 4% of their annual turnover, so it comes as no surprise that in a recent survey conducted by Fusion Communications, 37% of respondents cited data security as their biggest communication challenge during the pandemic (Fusion Communications Survey 2021).
This has important implications for remote working, as it necessitates the same level of security and due diligence when dealing with personal information as would be required in the office to prevent a potential data breach and remain GDPR compliant. It is therefore crucial that steps are in place to minimise security risks when handling data remotely.
Data access and storage
Remote working has caused an increase in BYOD (Bring Your Own Device), with many employees opting to use their own smartphone or laptop. However, personal devices or accounts may lack appropriate security and technical safeguards that could result in the mixing of company data with employees’ own personal data.
Likewise, accessing company data from home, or storing it on personal storage devices such as USB sticks, can compromise the integrity of the data. Working from home also increases the risk of this data being inadvertently accessed by family members or other unauthorised people, resulting in a breach of GDPR, and appropriate security measures are needed to mitigate against these potential risks.
Using separate business smartphones is one way to prevent the mixing of data, as it allows control over the data and apps on business devices. It also makes it easier to enforce further security measures such as passcode policies and implementation of group updates to ensure GDPR compliance, while demonstrating the company is in control of sensitive data and has taken steps to protect it.
Protecting data when remote working
Whether using a business or personal device, having robust Secure Device Management and effective Mobile Device Management (MDM) is key to implementing security measures to keep data on mobile devices secure from threats.
Adopting data encryption across software and devices being used remotely also allows data to be kept safe and secure from unauthorised use, even in the event of a security breach. In addition, implementing a corporate Virtual Private Network (VPN) enables an encrypted connection from a device to a network that allows the safe transmission of data from the office to remote working environments.
Employees should have access only to the data they require to complete their work to mitigate against unnecessary risk of unauthorised access, with measures that restrict data on a ‘need-to-know’ basis implemented where possible.
Crucially, companies should provide all employees working from home with a clear and documented remote working policy that outlines precisely how personal and company data should be handled to keep it secure, with regular training to ensure employees are aware of the best practices for remaining compliant with GDPR requirements.
Being vigilant
As more businesses experience an increase in remote working, it has become vital for employers to review their policies and practices on data security to ensure continued compliance with GDPR when working from home.
Companies must remain aware of the security risks that come with handling data outside of the office environment. Implementing appropriate safeguards and providing employees with the tools and training they need will help mitigate data breaches and the costly fines associated with GDPR non-compliance.
