As businesses begin to ask their staff to work from home via various online IT systems and group meeting software systems, it is worth bearing in mind that keeping personal data safe and secure is still important since fines for data breaches will still apply under the General Data Protection Regulation (GDPR). Here are 3 things to consider from an IT perspective when staff start working from home.
1. Training
Many data breaches happen because there is a data breach by an employee. This could be due to an employee being duped by a phishing email or asked to transfer money to the accounts of fraudsters. It may be that during this period of disruption hackers and fraudsters may start to target companies in the knowledge that many employees may be working from home and may not be under the direct supervision of other staff and may find it more difficult to ask for guidance from colleagues who they would ordinarily sit next to in the office.
Sometimes an employee will claim in their defence that they were unaware of the fact that they should have followed various IT security procedures to keep data safe such as using encryption and keeping passwords safe and not responding to phishing-type emails.
It is important for companies to arrange for the relevant IT security training and awareness programs and reminders (even if this is via online training) to fully inform employees within the company about what they should and should not be doing regarding IT even if one might have assumed that employees would always follow such IT security procedures and processes.
2. Governance
Given that data protection has the word ‘data’ in it, it often falls to the IT Director or IT department to handle all kinds of data protection-related compliance issues for the company. However, data protection is an organisational issue that affects the whole company including HR, marketing, operations and sales, as well as IT.
Some companies might have a data protection officer and it is important for that data protection officer to oversee how personal data is processed by the company and make sure that this is done in a legally compliant way. If your company does not have a data protection officer, then someone in the company should be responsible for ensuring that data protection and compliance issues (including the safety and securing of personal data) under GDPR are adhered to even if staff are working from home.
3. Data Breach Plan
Companies should have a data breach plan in place and update it regularly. This is particularly the case now, and the data breach plan should be updated to take into account any new staff behavioural vulnerabilities that may affect the IT systems now that more staff may be working from home. This data breach plan will include details about the processes that staff should take if there is a data breach, including who to contact within the company and also third parties that may need to be contacted such as insurers, law firms and IT security organisations.
Summary
Technology and software systems are critical to the operations of most businesses and so IT directors and others, such as the data protection officers, should take additional measures to ensure that personal data that the company holds is kept safe and secure during this uncertain period.
If you need data protection or GDPR advice, please contact Jimmy using the below details.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.