The advent of COVID-19 restriction saw a rush to remote working, of necessity, at speed and under pressure. This mode of working may remain a feature of working life, whether wholly or partly, after the restrictions have been lifted.
What is concerning many from an IT and data security perspective, is that 'work from home' in reality means complete, untethered workforce flexibility to 'work from anywhere'. However, it remains an inescapable fact that with remote working comes heightened risks in respect of data protection and cybersecurity. The more flexible your remote working arrangements are then the more difficult it becomes to manage your data protection obligations.
It is important to bear in mind that, while leniency, work-arounds and even legislative amendments have been forthcoming in some areas of law in order to ease the burden of compliance for businesses grappling with COVID-19 restrictions, no such accommodations have been provided in the area of data protection. For example:
- data security remains a core principal of data protection law;
- where data breaches are notifiable to the Data Protection Commission, such notification is still required to be given within 72 hours of becoming aware of the breach; and
- the 30-day time limit for complying with a subject access request still applies.
In respect of data security, data protection law requires that businesses implement "appropriate technical and organisational measures". What is "appropriate" will vary depending on (i) the nature and scope of the data processing, (ii) the likelihood and severity of risk to the rights of the individuals whose data is being processed and (iii) the types security technology available and cost of implementation.
Some technical measures which can be applied to help mitigate the risks, include:
- pushing updated anti-virus and anti-malware software to all company devices and including remote-wipe functionality;
- enforcing a strong password protocol (potentially multi-factor authentication) and regular changing of passwords; and
- adopting company approved video conferencing software and building in mandated settings (such as an always enabled waiting room, unique call ID for each meeting and use of the meeting lock functionality).
Managing data security when all of your employees do all of their work within the security of the four walls of your office building(s) presents its own challenges, notwithstanding the comforting presence of controlled building access and even perhaps receptionist or security personnel. Now multiply your office locations by the number of employees on your payroll and strip away all of that physical control over the security of those environments and the scale of the increased exposure quickly becomes apparent.
Many studies have shown that it is more often the individual, rather than the system, which is the primary gateway for the launch of cyberattacks. In that regard, some measures which should be considered in respect of preparing and training your workforce to work from anywhere include:
- reviewing and updating data protection policies to address remote working and bringing these to the attention of all employees. It might help to include as a preface to the policy a bullet point "dos and don'ts" guide for remote working;
- a key factor in any such updated policy will need to be a clear protocol aimed at minimising home printing of business data. Some companies have blocked printing on non-office located devices, while others have provided a secure home-collection service for employees for whom the processing of personal data in hard copy form is unavoidable. The beloved office 'clean desk' policy should be extended to remote working locations to ensure that paper records are locked away when not in use;
- provide education and information sessions to heighten awareness of the additional data protection risks posed by a remote working environment. There are a number of excellent providers in this space which have ready-made, engaging and interactive, animated video tutorials which can be easily rolled out;
- ensure everyone knows who in your organisation to contact first in the event of a data breach; and
- provide headsets for use on conference calls (to help minimise the amount of call information which may be overheard by non-employees).
In all of this focus on data security, it must be remembered that data minimisation and storage limitation are core principles of data protection as well. So businesses should continue to ensure that they only collect and process the minimum amount of personal data required and that any such data is only retained for as long as is required for the purposes for which it is collected.
Having recently passed the two-year anniversary of the coming into force of the General Data Protection Regulation, it is probably fair to say that most businesses have at least some understanding at this stage of their basic obligations under that legislation. Whatever trajectory your business has been on in terms of its GDPR compliance, it is not that legal goalposts have moved but rather that the current mass movement to remote working have resulted in the game being transferred to a different, and much larger, pitch.
To discuss any COVID-19 related issues impacting your business, or your usual Beauchamps contact, or Dorit McCann (EU, Competition & Procurement) Barry Cahir (Litigation and Insolvency), Thomas O'Dwyer & Sharon Delaney (Litigation), Sandra Masterson Power & Paul Gough (Employment), or Aidan Marsh & Gerry Gallen (Property).