Top tips for data protection compliance when working remotely

25 June 2020
Digital MediaRisk and Reputation ManagementData, Research and AnalysisGovernance and Compliance
Standard Content

Suzanne Lewis from Arc Data writes a blog looking at the key things that employers and employees need to remember when working from home in terms of data protection compliance.

Many of us have become used to working from home as a result of the coronavirus lockdown restrictions, and a lot of people have found it really works for them and their employers. By all accounts, WFH is likely to become a more common factor of the post-COVID norm. On the plus side, today’s technology enables us to work remotely yet remain connected, especially so with video meetings; it allows us to be more flexible with our hours, avoid that dreary commute and its nasty carbon emissions, reduce our spend on travelling and lunches, and so on. But it’s not without its challenges, particularly when it comes to data protection.

Working off-site on a remote computer, potentially on your own computer, requires paying close attention to security if you’re working with people’s personal data (that’s details for supporters, beneficiaries or staff), and this applies to more areas than you might imagine.

And remember you may be working from home, but your organisation should have Data Protection Policies which include, Data Retention Data Security and information handling to name but three issues to be considered. Your organisation may well have a policy on Bring Your Own Device too, which will tell you what you need to do to protect your device and any data held on it (this will apply to mobile phones as well as laptops, PCs, tablets, etc. So please ask your IT or data protection department for their help in keeping you up to speed if they haven’t done so already.

Email personal data securely

For a start, with less opportunity for face-to-face dialogue in the office, many more of us are relying on email to communicate with colleagues. But remember, under GDPR rules, if personal data is to be sent via email, it must be protected.

The ideal scenario is for all personal data to be transferred via SFTP sites. However not everyone has this option, so how else can data be transferred?

Does the data really need to be transferred or can you either anonymise or give people access to a shared file. If you do have to send data by email, then you should encrypt and password protect the file. Making the file a zip file usually allows both encryption and password protection – use something like 7zip which is free to download. Use a strong password generator (you can add that description into any search engine to find a strong password generator) and cut and paste the password into the zip file. Also make a note of the password. It’s preferable not to send passwords by email if you can avoid it – even if it is in a separate document. You should use another communication method to send the password – text, phone, etc.

If you can, use unique record numbers (URNs) to give information about a record and even for a small amount of data such as a change of address or a do not mail request, put this in an encrypted, strong password protected document.

Encrypt sensitive files

Please remember too that while at work you will be working behind firewalls with anti-virus scans running across the system at frequent intervals. At home you may be far more vulnerable as you are unlikely to have the same level of protection. So firstly, sign up to a good level of virus protection if you are not already. Then, try to keep your risks as low as possible by encrypting files that contain “sensitive” data, whether that’s commercially sensitive to your organisation, or special category as defined by GDPR. Avoid downloading personal data and especially special category data to your own device. Check your data protection policies before you do this as they may well say you must not download personal data. If this is the case, you will need to speak to whoever manages your data protection to get written approval.

When to use ethernet over WiFi

And, although it may sound draconian, if you are accessing significant amounts of data it can be advisable to access this using an ethernet cable connection, rather than WiFi as the latter makes it far too easy for personal data to be intercepted if you’re using an open network, or a network with little protection.

Keep work files separate

If you are not able to remotely access the office servers, then create a separate area to keep all your work activity on your own PC/Mac. Then, when “normal service” resumes you will be able to transfer all the work over and then delete it from your computer.

Delete and destroy safely

And when it comes to deleting personal data, hitting the delete button is not enough. The data needs to be properly erased, so that it doesn’t sit somewhere in the memory of your PC (ask your IT support for instructions!). Don’t forget too, that at home you still need to treat anything you print off securely. It could be that you’ve printed off an email, or maybe some Excel spreadsheets for business planning purposes. Whatever it is, if there is anything sensitive in it, then do ensure the data is securely disposed of by shredding.

Secure your equipment

While you may feel safe and secure at home, the computers you’re using for work ought to be locked away if possible, especially laptops or memory sticks (assuming your organisations allows these to be used). They should also be password protected in case they are stolen.

Don't forget your mobile

And lastly don’t forget you may also have data on your mobile so the security of this device also needs to be considered, particularly as most smartphones include email access. A quick and easy win is to ensure that your screen locks after 30 seconds of last being used. Also, that a pass code (and not 12345!) and/or a fingerprint is required to unlock it. A lot of phones have tracking devices now and it is a good idea to have these switched on in case you lose your phone or it is stolen.

If you do lose any piece of equipment or something else goes wrong, report it to your data protection and IT departments straight away to enable them to reduce the impact and report a data breach if necessary.

Some of these tips may sound obvious, but it’s often the obvious that gets forgotten, particularly when we’re thrust into a situation we’ve never been in before at the same time as dealing with a crisis. It’s important to remember that while we’re all getting accustomed to different working practices, data protection rules still apply.

Stay data secure and personally safe everyone.

Suzanne Lewis
Suzanne Lewis
Founding Director of Arc Data
Members Only Content