Data security, hybrid working and the ICO
Updated: Jul 19
In our recent article about hybrid working we identified some of the issues that employers needed to consider when their workforce is working sometimes on site and on other occasions elsewhere, usually home.
Many employers have used the pandemic to revaluate how their employees work, including where the work is done from because of the perceived benefits arising from employees working remotely, including higher levels of engagement because they feel that they have a better work life balance.
While there are many benefits, employers need to be reminded that there are some issues that will present more of a challenge than others.
“Data security risks are likely to be greater where there is hybrid working”
Good technology may be capable of saving the day in many cases. However, there is much room for human error, and it is therefore necessary that employees are aware of the need to work responsibly.
Employers may think that that they have managed well without much risk if there have been clear policies and procedures in place when employees were working solely from home. Hybrid working is different as employees will be moving around more, which means there is a greater risk of data and information being lost or getting into the wrong hands. Those practices that have kept the business safe may need to be adjusted to address additional risks.
“The ICO has been sympathetic to homeworking arrangements during the pandemic but has stressed organisations need to ensure that the systems in place are safe”
During the pandemic, the ICO accepted that employers had to adopt homeworking and new IT solutions very quickly. While the expectation was that organisations ensured that their systems and way of working were safe and any security threats addressed, there was some acknowledgement that we were not operating in an ideal world.
The ICO is now picking up where it left off at the start of the pandemic by reviewing past complaints. The expectation is that there will be less sympathy for organisations who are faced with data breaches. Any hybrid working arrangements that lead to a data breach will be scrutinised by the ICO and action will be taken.
” Organisations need to understand and implement good practices when it comes to data security”
If hybrid working is to become a permanent fixture, you need to keep in mind that the ICO is unlikely to show much sympathy for a data breach.
Given the level of scrutiny that can arise when there is a data breach and the reputational and financial risks it makes sense to test current technological systems and employee practices to identify any weakness.
The aim will be to ensure employees are working securely. A good place to start is to ensure that the ICO’s guidance generally and on working from home is followed. Further details are on its website. Contracts of employment and policies covering IT, social media and data protection may need updating to emphasise the importance of confidentiality and complying with the data protection laws. Your employees’ approach to data retention and disposal may also need to be reviewed.
Given the level of scrutiny by the ICO if there is a data breach a data impact assessment is advisable. A data impact assessment will help you manage any risks upfront and is essential if the business is handling sensitive personal data.
In the case of a data breach, the ICO may well ask about the decisions that have been made about data management and security with reference to a relevant data impact assessment. The absence of one will be unsatisfactory in the eyes of the ICO. A comprehensive data impact assessment that has been implemented shows that you are working with the data privacy laws.
“Understand risk and taking responsibility”
Your policies will only protect your business if your employees understand the risks and the need to act responsibly. Clear communications and preventative training are therefore important. It may have to be spelt out that a failure to comply with the policies could lead to disciplinary action, including dismissal.
“It can never happen to us!”
While we often see household names being shamed by the ICO for data breaches, any organisation is vulnerable to a data beach and will be treated in exactly the same way. The ICO’s focus will be on the breach, the damage that has been done and what measure had been in place to avoid the breach. The current maximum fine is £17.5 million or 4% of the total annual worldwide turnover. The ICO publishes a list of the organisations that have been fined.
In many cases, a data breach can be avoided if the correct technological and operational measures are put in place. It is however important that those measures are regularly assessed to ensure that they are fit to manage the ever-present risk of a data breach. By assessing the risk and implementing appropriate measures you are however likely to keep your business off the ICO’s list.
FGS’ legal team includes specialists in data protection and privacy law, which enables us to advise on GDPR compliance including commercial contracts, policies and procedures, data breaches, subject access requests and privacy issues.
If you require further advice about data protection, please feel free to call us on 0808 172 93 22 for a no obligation discussion.
For further details about the commercial legal service and assistance we provide to businesses, please click here. 👇
This update is for general guidance only and advice should be taken in relation to a particular set of circumstances.