The data perils of working from home

Daniel Keating

By Daniel Keating, Senior Associate, CMS

Whilst some businesses are now in the process of reopening offices and premises to staff and customers, for many of us there is still likely to be an extended period of working from home.

As they adjust to new working patterns that are likely to become the norm for many, it is essential that businesses and organisations (with their staff and employees) continue to maintain high standards of data protection compliance.

In these difficult times, the last thing that a business can afford to have to deal with is the fallout from a personal data breach.

This could cause yet further economic and reputational damage for the organisation that is impacted, not to mention further harm to the individuals whose data is compromised.

Whilst these are exceptional times, controllers and processors of personal data still have an obligation to ensure that appropriate technical and organisational security measures are in place.

Controller organisations are also still required to notify personal data breaches to the relevant data protection supervisory authorities, and to affected individuals (as relevant).

Processors must notify the relevant controller without undue delay of any personal data breaches.

Given the short time frame for controllers to notify relevant data protection supervisory authorities, most controllers will expect processors to notify them immediately, and this may also be a contractual requirement.

Homeworking may result in increased data protection and security risks, particularly for organisations that are not readily set up for staff to work remotely.

Increased risks could arise in a number of areas, including:

  • Hackers or malicious actors – Taking advantage of the current situation to release phishing scams, viruses, malware or ransomware knowing that an organisation’s systems or an employee’s personal device used to work remotely may be more vulnerable.
  • Infrastructure security – Where staff access is not managed properly using measures such as VPN/secure gateway access and dual authentication.
  • Personal data – The processes for transferring personal data from the office to home – eg staff using removable media, emailing work to personal email accounts, or printing sensitive work-related materials on unsecured personal printers.
  • Home networks – Lack of control and likelihood of weaker protocols on employees’ home networks.
  • Software/platforms – Remote users may need to use different software or unfamiliar platforms in a different way to normal.
  • Device loss/theft – An increased risk of staff losing or having their devices stolen whilst they are away from the office.
  • Remote working systems – Use of new remote working systems, such as collaboration tools, for example. In these instances, shortcuts may have been taken in relation to supplier due diligence, data processing agreements and safeguards for international data transfers, meaning that if a data breach happens supplier-side the customer organisation may not be as well protected as it could be. Also, users and clients may not have been informed that their personal data will be processed using these tools (in line with the organisation’s transparency obligations under the GDPR).

To manage the security risks of a personal data breach during these unusual times, organisations should take measures such as:

  • Constantly reviewing business continuity plans to ensure ongoing availability and resilience of systems required for the business to operate, and ensuring key stakeholders can communicate effectively with each other, but the business and its customers.
  • Remind staff of their obligations regarding data protection and information security, particularly raising awareness of the extra vigilance needed to combat malicious actors.
  • Ensure high security standards are maintained in relation to new systems and tools used to facilitate remote working.
  • Keeping security measures under constant review and regularly updated to ensure they remain appropriate and take into account the new working environment and associated risks.
  • Having your data breach response plan close to hand in case it’s needed.

Organisations should also conduct a thorough review of measures and decisions taken around the time that lockdown was implemented.

Many businesses will simply have not been prepared for large scale home working and will have had to act very quickly to put in place systems to allow them to continue to trade and function.

Decisions may have been taken on a temporary basis or some issues simply not addressed at all due to a lack of capacity to deal with them at the time.

Daniel Keating
Senior Associate, CMS
0161-393 4796