Remote Working and GDPR Compliance

Remote working arrangements have become more crucial than ever in view of the COVID-19 pandemic. Social distancing has driven many of our clients to stay at home for the foreseeable future, meaning remote working is, for many, no longer an option but a prerequisite.

Offering remote working options to staff enables businesses to source the best employees and enhance their existing employees’ engagement. Your teams new remote work setup will come with numerous new challenges, including the way you protect sensitive data. 

Without security protections that come with being in an office, like whitelisted IP addresses and multi-layer perimeter security, you’re exposed to a whole host of security threats. Thus, information security must be of the highest priority during this time, as the last thing you need while managing an array of other problems is to experience a data breach.

We have pulled together and detailed below what we believe are the key steps to ensuring compliance with the new Covid-19 working from home conditions which include: 

1. Define Employees’ Duties

2. Provide a Remote Access Policy

3. Connecting to Public Wi-Fi 

4. Install Encryption Software on Employees’ Devices

5. Protect Data with Passwords

6. Implement a Strong Warning Procedure 

7. Review Your Policy

8. Establish Ways to Raise Security Awareness Among Staff

9. Avoid Fraud with Helpful Tips

10. Train Your Staff

What is General Data Protection Regulation (GDPR)?

When it comes to staying safe, GDPR (General Data Protection Regulation) is the best place to start. If you’ve implemented a working from home policy to your employees, you’ll need to keep data secure under the General Data Protection Regulation (GDPR) that commenced in May 2018. 

Essentially, GDPR’s main purposes are:

  • To avoid businesses encountering data breaches and to boost data security 
  • To protect personal information and cut down the number of data breaches by enabling businesses to have more jurisdiction over their personal and sensitive data
  • To help businesses recognise the security perils they need to tackle, and the actions they should take to alleviate them.

By adhering to the requirements of the GDPR, you ensure you’ve taken into consideration the risk to the information you hold.

Do I Need to Conform?

Yes. Organisations, big or small, need to make sure they’re compliant with GDPR. It doesn’t matter whether you’re a start-up or a big-name business, as GDPR compliance is vital to lessen the risk of breaches, not to mention avoid penalties.

GDPR applies to:

  • All organisations operating within the EU
  • Organisations outside of the EU that provide services or goods to individuals in the EU and that hold personal data or EU citizens.

Thus, it’s important to prepare for compliance, else you risk being fined up to 4% of your total annual revenue. 

What Constitutes Personal Data Under GDPR?

Personal data is essentially any information about a specific personal ‘data subject’. That is to say, any data that clearly relates to a particular person, such as appearance, office information and fact-based data.

Do I Need a Remote Working Policy?

A remote working policy is crucial for companies with remote employees, particularly those who are new to working from home. Establishing a well-defined policy enables remote developers to carry out their work from wherever they’re based – and productively – regardless of the situation.

Thus, businesses must:

  • Implement a clear remote working policy to direct their operational model
  • Ensure remote workers understand how to collect and access data clearly in light of GDPR and individual rights.
  • Link your remote working policy to disciplinary procedures and your terms of employment.

What if I Don’t Have a Remote Working Policy in Place?

By not having a remote working policy in place, you expose your organisation to numerous threats, including:

  • A lack of care among employees about data security, which increases the likelihood of workers losing their devices in public places and not encrypting their data when outside of the office.
  • Employees not having the correct tools or policies to work from home efficiently.
  • Remote workers accessing files using non-protected devices.

How Can I Ensure GDPR Compliance Within My Company?

The key to establishing a successful remote working policy is to cover and regulate data accessibility in its entirety. You can do this by following the below steps. For more information, you can review this helpful checklist from the ICO: https://ico.org.uk/for-organisations/data-protection-self-assessment/

1. Define Employees’ Duties

The most important action you can carry out is to outline your employees roles and responsibilities by providing a clear-cut description of their everyday accountabilities. If you need your workers to follow a nine to five working day, be transparent about this. That said, it’s best to foster independence by encouraging flexible working among your staff. By doing this, you’re endorsing a performance-orientated environment in which efforts and results are given precedence.

2. Provide a Remote Access Policy

Devise a set of rules that clearly outline which employee has access to what. Make sure you obviously state the tasks and names of every individual that’s entitled to log onto the organisation’s servers. It’s worth noting that none of your workers, whether based remotely or not, are allowed to have total access to your organisation’s files or servers if they don’t need them for their everyday duties. It’s a good idea to limit specified sections of the site and permit your employees to access the data that’s relevant to carrying out their daily job. Ensure you mention this within your policy.

3. Connecting to Public Wi-Fi 

Public Wi-Fi is convenient for remote staff, as it means they can work from wherever they like, including from home, cafes and co-working areas. But, if remote staff connect to public Wi-Fi without considering security, it can put data in danger. If you’re concerned about your data security, you must state in your policy that employees aren’t permitted to use public Wi-Fi. In the instance that your workers have no choice other than to connect to an unsecured network, ensure they use a VPN.

4. Install Encryption Software on Employees’ Devices

It’s paramount you encrypt your remote workers’ devices and implement data encryption on all devices. One option is to install an encryption software that encodes the entire desktop or only selected files. Or, install a remote-wipe app that deletes all data on a device if it gets lost or stolen, so if it falls into the wrong hands, the data won’t be compromised. Most modern IT devices come with encryption software built-in.

5. Protect Data with Passwords

Make sure you implement strong password systems to guarantee data security within your company. Strong passwords should be applied to emails, work-related files and networks. Your remote employees can do this by following the below steps:

  • Create strong passwords that are distinctive, memorable and obscure.
  • Revise their login IDs on a regular basis.
  • Decrease the number of login attempts to three before blocking the login screen.
  • Enhance their protection by enabling a two-factor authentication.

According to the most recent advice from the NCSC, it is best not to enable password expiry.

6. Implement a Strong Warning Procedure 

Should an employee encounter a data breach, there must be a clear, actionable procedure in place so employees can take the correct steps to report breach incidents to certified individuals. Your workforce must understand what signifies a data breach and what they can do if they notice one. Always change passwords of a breached account.

7. Review Your Policy

Ensure you tweak and test your policy once in a while to seal any security gaps and revise the regulations in line with your requirements.

8. Establish Ways to Raise Security Awareness Among Staff

You can strengthen your system by sending employees on training days or to workshops for a higher level of data security awareness. Other ways you can instil more understanding is by sharing blogs and podcasts that reveal authentic examples. For a bit of fun, you could introduce gamification to teach your development team about the importance of data security and GDPR compliance. Even better, implement ongoing and automated training and security testing to keep your employees active and aware.

9. Avoid Fraud with Helpful Tips

Market-leading email security products do have additional measures to combat invoice fraud. However it’s important to note, there is no silver bullet to prevent this type of incident occurring.

10. Train Your Staff

Train and make your staff aware of these things. There are an abundance of resources to keep your staff up to date on the latest fraud techniques.

Download the full guide now!

Like many IT support companies, we offer the administration of security to many of our clients, such as managed antivirus, penetration testing, advanced email security, vulnerability assessments, cyber security essentials programs and much more. If you need help at this time with managing security compliance effectively, don’t hesitate to give us
a call on 0207 317 4535.

Posted in Security services.