Remote working has enabled some businesses to carry on throughout the coronavirus lockdown but have they paid enough attention to GDPR (General Data Protection Regulations)?
As more businesses open up with the easing of restrictions a combination of more stringent safety measures in workplaces and a realisation that they can carry on successfully with remote working may lead many to adopt remote working as part of their normal business practice.
GDPR was brought in in May 2018 in the UK to strengthen data protection for individuals. It imposed significant financial penalties, as much as 4% of a company’s annual turnover, for breaches and failures.
However, research by the IT support company ILUX, among 2000 remote workers during lockdown revealed that one in ten believed that their expected working practices were not GDPR compliant.
A combination of these workers using their own IT equipment and inadequate IT support from their employers at a time of crisis was partly to blame for this.
If businesses are intending to continue using remote working for all or part of their workforces, they will need to revisit a number of practices that affect GDPR.
Some will perhaps require a significant outlay, but it is arguably money well spent if the alternative is a massive fine for non-compliance.
Ideally, remote workers should be supplied with business-owned devices, not home computers, phones and/or tablets, preferably connected to the business’ intranet.
All devices should have the latest patches applied, to ensure security vulnerabilities or other bugs are fixed, as well as anti-virus, anti-spam and web protection. This should apply not only to devices but also to network security such as device encryption, firewalls and web filtering.
In addition, the business should revisit its GDPR guidance for secure working for employees and advise them on how best to maintain their IT security, including passwords and replacement policies and best practice including using multi-character passwords, two-factor authentication, and not re-using passwords.
GDPR security for remote workers also includes keeping laptops, mobile phones and tablets securely locked away when not in use and not allowing family members or housemates to use, or see, anything work-related. The same applies to removable devices like USBs, which should also be checked first for malware before use.
Any personal data remote workers need to access for their work and then stored on a USB or in printed form should also be locked away securely when not in use.