We have identified a more suitable language of this document. To change language to please click here or close
We have identified a more suitable language of this document. To change language to please click here or close
For storing your preferred CMS location, analysing referrals from LinkedIn and embedding third party content we need your consent (which you can withdraw any time).
This website uses cookies so that we can provide you with the best user experience possible. Our Cookie Notice is part of our Privacy Policy and explains in detail how and why we use cookies. To take full advantage of our website, we recommend that you click on “Accept All”. You can change these settings at any time via the button “Update Cookie Preferences” in our Cookie Notice.
Technical cookies (required)
Technical cookies are required for the site to function properly, to be legally compliant and secure. Session cookies only last for the duration of your visit and are deleted from your device when you close your internet browser. Persistent cookies, however, remain and continue functioning on repeat visits.
Analytics
CMS does not use any cookie based Analytics or tracking on our websites; see details here.
Personalisation cookies
Personalisation cookies collect information about your website browsing habits and offer you a personalised user experience based on past visits, your location or browser settings. They also allow you to log in to personalised areas and to access third party tools that may be embedded in our website. Some functionality will not work if you don’t accept these cookies.
Social media cookies
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.
Whilst some businesses are now in the process of re-opening offices and premises to staff and customers, for many of us there is still likely to be an extended period of working from home. As they adjust to new working patterns that are likely to become the norm for many, it is essential that businesses and organisations, together with their staff and employees, continue to maintain high standards of data protection compliance.
In these very difficult times, the last thing that a business can afford to have to deal with is the fallout from a personal data breach – this could cause yet further economic and reputational damage for the organisation that is impacted, not to mention further harm to the individuals whose data is compromised.
What are the key data protection risks presented by homeworking?
Whilst these are exceptional times, controllers and processors of personal data still have an obligation to ensure that appropriate technical and organisational security measures are in place. Controller organisations are also still required to notify personal data breaches to the relevant data protection supervisory authorities, and to affected individuals (as relevant).
Processors must notify the relevant controller without undue delay of any personal data breaches. Given the short time frame for controllers to notify relevant data protection supervisory authorities, most controllers will expect processors to notify them immediately and this may also be a contractual requirement.
Key considerations
Conduct a thorough review of measures and decisions taken around the time that lock down was implemented.
Remind your staff of their obligations regarding data protection and information security.
Consider whether any amendments to your emergency response plan are required.
Assess which data protection supervisory authorities you are required to notify in case of a breach.
Homeworking may result in increased data protection and security risks, particularly for organisations that are not readily set up for staff to work remotely. Increased risks could arise in a number of areas:
In response to these heightened risks, organisations should take the following steps:
Ensure strong passwords are set for user accounts with two-factor authentication (2FA).
Ensure that devices encrypt data on devices when at rest.
Use mobile device management (MDM) software to set up devices with a standard configuration to enable remote locking or erasure.
Ensure that staff know how to report problems and understand how to keep software and devices up to date and that they apply all updates promptly.
Make sure a virtual private network (VPN) is fully patched.
Disable removable media using MDM settings.
Use antivirus tools where appropriate.
What should organisations be doing to mitigate these risks?
To manage the security risks of a personal data breach during these unsettled times, organisations should take measures such as:
Business continuity plans Invoking business continuity plans to ensure ongoing availability and resilience of systems required for the business to operate and ensuring that key stakeholders can effectively communicate with each other, the business and its customers / clients.
Employee obligations Reminding staff of their obligations regarding data protection and information security, in particular raising awareness of the extra vigilance needed to combat hackers or malicious actors.
Security standards Ensuring that high security standards are maintained in relation to any new systems and tools that are introduced to facilitate remote working.
Security measures Keeping security measures under constant review and where necessary updated to ensure that they remain appropriate and take account of the new working environment and associated risks – this will involve carrying out an updated risk analysis, reviewing organisational policies and procedures (or putting in place new ones where these do not exist), considering new physical and technical measures and any additional security requirements that may now need to be implemented. The business should consider whether any amendments to its emergency response plan are required in light of these changes.
Data breach response plan Having the organisation’s data breach response plan close to hand in case this needs to be invoked.
What should you do if you do suffer a data breach?
In the unfortunate event that you do suffer a personal data breach, immediate steps need to be taken to:
Assess who the organisation is required to notify (having identified its lead regulator in advance) – if the breach has a cross-border impact, it may be necessary to notify more than one data protection regulator (depending on the jurisdictions impacted and if the one-stop-shop mechanism applies).
Prepare and file the necessary regulatory breach notifications.
Prepare and send communications to affected data subjects.
Manage reputation and press communications (if necessary).
Use antivirus tools where appropriate.
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.
Under the GDPR, the following breach notification obligations apply:
If your organisation is a controller, it must notify:
the relevant data protection supervisory authorities without undue delay, and at the latest within 72 hours after having become aware of the breach (where feasible), unless the breach is unlikely to result in a risk to individuals; and
affected data subjects without undue delay if the breach poses a high risk to them, unless there are effective technical and organisational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialise.
If your organisation is a processor, it must notify data breaches to the controller without undue delay and assist the controller to comply with its obligations regarding data breaches (although the processor may have contractual obligations to notify the controller within set time periods).
Conclusion
It is important to remember that, whilst your organisation is having to grapple with new ways of working, it is “business as usual” for opportunistic hackers or malicious actors. Therefore, you need to ensure that high standards of information security and data protection are maintained – otherwise, your organisation may find itself fighting other viruses as well the coronavirus.
You can download a PDF version of this page below.
Publication
Rebound & Remodel - The data security perils of home working
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.