The New Year has begun on a sour note for many of us. We have been plunged into our third national lockdown requiring most of us to work from home again. Many of us never stopped working from home and so, in terms of technical and organisational security procedures, there is now a wide range of standards implemented by organisations around the country.
This time round there will not be so much flexibility from the ICO regarding failure to implement appropriate data security measures. Companies should pay attention to how secure their remote working procedures actually are. Even for those who have become accustomed to working from home, now is a good time to check that everyone is still as eager to protect the personal data they handle as they were when the home office environment was still a novelty.
Data protection training
It is easy during busy or challenging times to put training on the back burner and prioritise the core business workload particularly if the new environment challenges our level of productivity. But training and compliance checking are more important than ever if companies are to avoid falling victim to the ever-increasing number of data breaches and cyber attacks. As always, it is not only important to take such steps, but you also need to be able to demonstrate your compliance efforts; from the regulators point of view if you can’t prove it, then it didn’t happen.
Data protection awareness
We all need to be reminded from time to time about the importance of keeping data secure and confidential, and a change of working environment is an ideal time to consider the general data protection principles and consider how they apply to changed working practices. In our experience, data protection awareness is not difficult to achieve but without revisiting the subject, people become more complacent and data protection is perceived as relevant as it fades to the back of our minds over time.
Protect electronic transfers of data
A key area to tackle is transfers of business data around the company, between employees home devices and the main electronic files of the organisation; so data needs protecting by providing a secure upload/download facility for your staff to access and update company files when needed, ensuring that personal data and business data is protected from the insecurities of email. When looking for a secure file transfer mechanism it’s vital to carry out due diligence on the provider and make sure that data is protected in accordance with the GDPR; while it is tempting to use free or low-cost software these are the least likely to provide the most secure options.
Protect online meetings
Another key area is your company’s mechanism for conducting online meetings. Back in the first lockdown, everyone hastily jumped onto Zoom to continue communication with colleagues, realising in hindsight that their security was not up to standard – anyone could join Zoom meetings if they had a link, no separate password was required so the term ‘zoom bombing’ was created to describe the action of joining virtual meetings to which they had not been invited. With laptop cameras and microphones switched off, it was impossible to detect that they were even there.
Assess and manage risks
If you did not have the time or skills to undertake a Data Protection Impact Assessment (DPIA) for introducing the use of such new technologies before the first lockdown, this is something to invest in now to identify and manage the risks before it is too late, as it looks as though remote working is here to stay.
Lockdown checklist for data
Here are a few other basic things every company should have in place in order to protect their personal data while employees are working remotely:
- Ensure you have an appropriate set of policies and procedures and that they are regularly reviewed and kept up to date. They should be easily accessible to your employees from their home working environments. In particular, a mobile device and a home/remote working policy will demonstrate that your company has identified and managed the associated security risks.
- Check that your company’s IT systems use appropriate technology to prevent unauthorised access to information on mobile devices for example remote wiping or encryption.
- Put in place secure means for accessing company data remotely, for example using a VPN and two-factor authentication.
- Limit the type and amount of personal data that can be downloaded to remote devices or stored on removable media and ensure it is restricted to the minimum required to meet the business need.
- If possible, use a software solution that can set permissions or restrictions for individual devices as well as an entire class of devices.
- Your company should not allow company devices, data or software to be taken off-site without prior authorisation and keep a record of all mobile devices and removable media used and who they are allocated to.
If you are behind the curve when it comes to protecting data during lockdowns and worrying that your organisastion might not be up to scratch, then give us a call – we can help!