Working from Home may become the ‘new normal’ - so it’s essential not to overlook GDPR and cybersecurity risks

Business Insights

It’s now clear that homeworking is going to be a permanent feature in some form in the ‘new normal’ for many businesses as we emerge from the impact of Covid-19 this year. A recent survey by the Institute of Directors suggested that 74% of businesses plan to keep increased homeworking in place, and that over 50% expect to reduce long-term use of normal office spaces.

Many organisations scrambled in response to the first lockdown to rapidly assemble solutions for remote working, or extend existing systems to all employees. Understandably, shortcuts will have been taken in the interests of speed and effectiveness, to keep the business functioning through what was anticipated to be a relatively short-term period. But these very likely left gaps in cybersecurity and GDPR compliance which now need to be plugged to transition safely to longer-term operations.

The UK data protection regulator (the ICO), recently signalled its return to a more normal approach to enforcement after some relaxation during the first lockdown. The ICO is a pragmatic regulator, likely to be sympathetic to real challenges that businesses face. But no business can evade its obligations to comply with data protection law and the ongoing pandemic will not be considered an excuse to do so.

Why is homeworking risky?

People are a company’s weakest security link. Typically, 70% of security issues are caused by human error, often a result of poor processes or poor training rather than malicious intent. So, transferring your employees to work away from their familiar office location and support environment can open up significant risks. People are usually more relaxed at home and may inadvertently let their guard down, more so midst-pandemic when they are feeling more anxious and susceptible to emotional compromise. Key risks are:

  • data flowing into unmanaged cloud locations and personal mobile devices (laptops, smartphones, tablets, USB drives);

  • unauthorised access to, or loss of, those devices;

  • ensuring staff are fully aware of cybersecurity risks, especially with emails: there has been a huge increase in phishing and ransomware attacks post-Covid.

What should you be doing now?

In the ‘new normal’ there should be no difference between working at home, in the office, or when travelling. Your working processes and security arrangements need to be seamless and equivalent for all scenarios. You should review all of your policy and procedure documentation built up as part of your GDPR compliance programme and ensure it is updated with any new risks assessed to reflect changes to the way you operate. In particular, ensure you:

  • review data flows: what personal data is being processed and how it moves through and out of the business (have you introduced new 3rd parties as a consequence of more homeworking?);

  • have a BYOD (Bring Your Own Device) policy: set out how you will manage your employees’ own computers and smartphones when used for company business: i:e: has it been updated to reflect new working practices?

  • have a homeworking policy: define how business data must be handled and what cybersecurity must be in place;

  • refresh your employee training on core data protection and cybersecurity principles, and record when this happened;

  • have a secure and easy way for your remote workforce to communicate with IT support.

If you haven’t already done so, consider certifying to Cyber Essentials or the IASME Governance Standard: these are low-cost and effective ways of demonstrating you have essential cybersecurity in place (and the IASME standard includes additional GDPR-specific requirements, so helps you meet the GDPR’s ‘accountability’ principle).

Protect your business, build trust, and plan ahead

Extended homeworking offers significant improvements in business continuity and flexibility in responding to new challenges. But it can also introduce new risks toyour data protection compliance and cybersecurity, so as we head out (perhaps!) of the latest lockdown and into a new year, this is a good time to review where you are, identify gaps you need to plug to ensure your business is not exposed, and plan strategically to re-shape and protect your longer-term operations.

It’s important to aim to embed key data protection and cybersecurity principles into your business culture. This is fundamental to the GDPR’s Accountability and Data Protection by Default requirements, and helps build trust with all your stakeholders. And your well-trained and fully aware staff will be a robust first line of defence for your business.

Doing this review now and taking action to fill the gaps will give you the strong compliance groundwork you can rely on to help take advantage of new opportunities that will emerge as the economy starts to recover.

Christopher Johns
We provide tailored ‘handholding’ support for businesses through their data protection compliance journey, including our integratedOptimiser4 online ‘evidence hub’, linking your data, workflows, people and GDPR categorisation in a simple-to-use collaborative app.