27 October 2020

GDPR and working from home: protecting your business

regulatory updates

how to facilitate homeworking whilst avoiding data breaches.

As the world starts to navigate life beyond lockdown, it seems that for many businesses the future will be a mix of remote working and office-based activity. The split is the subject of much debate and isn’t for this soapbox (although to get an idea of where our heart lies see here).

GDPR post lockdown.

As businesses start to think about what the new normal means for them, we are starting to see a rise in clients who are receiving complaints about their data usage. Whilst most of the world retreated in March 2020, sadly, the reach of the GDPR was as broad and strong as it ever was in the old normal.

working from home.

Technology has enabled many of us to be able to work from our homes, be that by balancing a computer on our ironing board, or by setting up a state-of-the-art studio in our home garden office. Technology in lockdown meant that we could recreate some of the face-to-face interactions that so many of us missed. It has also meant that documents could be shared freely, contracts signed electronically, and deals negotiated from multiple locations.

However, there is a dark side. Technology has also opened new data flows and a raft of new breaches that were never even contemplated when firms set about dusting off their privacy notices 2/3 years ago.

watch-outs for working from home.

Here we have collected our top four “new-normal” watch-outs for working from home, areas where businesses could be exposed to risk:

1. video calls.

The biggest revelation for most businesses over lockdown was that video conference technology had a use that extended beyond international meetings. Not only that, many have found (drumroll) the technology user-friendly. And you can share your screen! And you can talk to more than one person at a time!

Not only has this opened a window into people’s homes, increasing empathy and understanding amongst colleagues and with clients, it has also opened up new ways of breaching GDPR.  There is the obvious screen share fail, and we aren’t talking family members in the background, but rather opening up your data to all of those on the other end of the call. There are more subtle breaches too. Remember all the discussion when GDPR came in about not sharing lists with other conference/event guests? The same is true in the virtual world too. Have you been inviting people to attend webinars where all participants are there for others to see?

2. technology introduced quickly.

When most firms introduce new technology, they do so after a considered view of what and how. Privacy by design is at the fore. C-19 meant that many businesses had to adapt fast. The usual checks and balances did not happen. Video conferencing policy? What?!

Now that we enter the new normal, it is perhaps time for firms to review what has been introduced and think about what assessments were carried out from a data protection perspective. GDPR requires constant monitoring.

Asking the questions that you perhaps didn’t have the time to ask in

March, when requests for laptops were coming in thick and fast, could prevent the ICO from calling in the future.

3. different working practices.

Replacing the desk with an ironing board wasn’t the only change that employees have got used to. To make remote working work, files have been shared by whatever means possible. Things that would normally have been safe and secure in the cloud have been downloaded onto desktops.

As with technology, this next phase in our 2020 journey should be a time to pause and think about the impact that these might have on our data. How can we embrace these practices without breaching GDPR at the same time?

4. traditional risks forgotten.

Everyone knows that you don’t leave your bag on the train, and tidy away the desk at the end of the day (because the cleaner is really an undercover corporate spy). However, working from home is different. It’s a controlled environment. The kids and the cat don’t care about the data you and your employees are working on, and frankly, the only concern that most people at home have is whether the Wi-Fi can power 6 devices at once.

BUT…the sense of relaxation that most of us have had has an implication when it comes to data. Employees are less alert about locking their computers when they walk away from the desk or leaving their papers hidden from view.  Whilst this was generally fine (unless that cat was also an undercover corporate spy), now things are relaxing, employees might have fallen into new habits that are hard to break. In-person meetings are now taking place, colleagues might be visiting each other’s homes, employees are back in the office and coffee shops are once more becoming a replacement for the ironing board.

Firms that control or process data will need to think about revisiting old problems in new scenarios. Yes, we are going to talk bag on the train again, but moreover, having one foot in the office and one foot at home will mean a shift in risk which should result in a shift in policies.

and the B word.

Those who got their wish for the news to talk about something other than Brexit might be thinking that they should have wished for something else…or perhaps been a little bit more specific! Notwithstanding, Brexit has started to come back as a topic for discussion. Whatever the outcome,  even those companies operating in a UK bubble will still need to comply as the UK has said that UK data protection law will mirror the GDPR. So, the wish for GDPR to be forgotten is one that does not look set to be granted. We will keep you abreast of major changes, but we would also recommend you visit the ICO website.

If reading this article has made you reach for your pick-me-up of choice, fear not, Lawbox stands ready to turn your GDPR nightmare into a GDPR dream. Call us to find out about our GDPR workshops and how you can create a GDPR Storybook for your firm.

Has 2020 affected your GDPR preparedness?
Get in touch now.
Contact us