The Challenges of Hybrid Working: Maintaining Data Security

The Challenges of Hybrid Working: Maintaining Data Security

COVID-19 created unprecedented operational and security challenges for businesses globally across multiple sectors.

Adjustments to the normal working day, whether through a remote working or hybrid working model, are presenting very real risks to the security of data within your organisation.

It all started in March 2020, when severe lockdown measures changed working practices overnight and forced businesses into remote working with little to no preparation.

There was little time to consider potential vulnerabilities of personal data within an organisation – indeed, a survey has estimated that pre-lockdown only 11% of businesses had the facility to work remotely at all!

The ICO states: “….. staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.”

Hybrid Risk Assessment

To understand what vulnerabilities may be prevalent in operating a hybrid working model, ask your employees:

  • Is there anyone else in your household present or working from home?
  • Do you have secure storage for work devices/paper records?
  • How do you transport any personal data to and from the office?
  • Do you use free or public WiFi?
  • What do you do with documents once you have finished with them?
  • How are you disposing of them?
  • Have you had data protection and cyber security training?

Vulnerabilities Of Hybrid Working

No Remote Working & Data Security Policy

Working at home should not be an excuse to implement less stringent security measures that you would otherwise have in place at the office. Make sure you have all the correct policies and procedures in place and that all staff are trained on those.

Failure To Encrypt Devices

One of the most effective methods for protecting your work or personal device is encryption, so it is a good idea to check with your IT support that your device is encrypted and activated.

All employees should know who to contact if the device is lost or stolen, particularly outside of business hours – this is usually the IT manager or Data Protection Lead. Such information should be stipulated in your company’s Remote Working and Data Security policies, as well as its Data Breach Crisis Management Plan.

Unsecure Or Public WIFI

Cyber criminals are becoming more and more sophisticated about taking advantage of people’s and businesses’ vulnerabilities.

Many free or public WiFi networks can easily be hacked by criminals, so when out and about, use a secure network such as a Virtual Private Network (VPN).

For example, Network Rail recently confirmed that one of its free WiFi hotspot providers suffered a personal data breach that resulted in the email addresses and travel details of about 10,000 people being leaked online.

In addition, check the security of your own home WiFi. If the password is the same as the day it was installed, you should change it.

Physical Document Storage

GDPR requires the enaction of appropriate measures to secure manual records and personal data to avoid the risk of data breach.

Paper records, files or notes should be secured away at the end of each day using either locked doors on home office space or in locked filing cabinets or storage units.

If any other individual, including a family member, is able to view such records it is deemed as unauthorised access to personal data and thus a breach of GDPR.

Consider also how documents are transported to and from the office? Are they secure? Kept in a car overnight? On a train? Visible papers?

Data Retention & Disposal

Your organisation should have a Data Retention & Disposal Policy in place which should outline the specified retention periods for each type of personal data you may be processing and lay down regular retention audits.

It is important to securely dispose of such personal paper records by using a desktop shredder or securely storing such paper records until you go back into the office and avail of the organisation’s secure disposal procedures i.e. a third party shredding contractor.

GDPR Training

GDPR training should be completed annually – and this really will be your best defence in mitigating against an ICO complaint. Take the opportunity to review all your current policies and procedures as part of an annual audit.

Conclusion

Awareness of the potential vulnerabilities of personal data within your organisation will enable you to address the risks and put effective protection measures in place while operating a hybrid working model.

You might also like

5 Biggest Benefits of Taking Your GDPR Compliance Seriously blog
read more
5 Biggest Benefits of Taking Your GDPR Compliance Seriously More

The General Data Protection Regulation (GDPR) was designed to give citizens of the EU greater control over their data and to ensure that companies...

Navigating Through A Subject Access Request In Chambers
read more
Navigating Through A Subject Access Request In Chambers More

It’s a shocking statistic that everyone who cares about the people in our profession – and the future of the Bar...

Beware: New Phishing Scam On The Rise
read more
Beware: New Phishing Scam On The Rise More

Phishing scams, a long-standing issue that many people are familiar with, have become even more dangerous and prevalent in today’s technology-driven world...