GDPR applies when we’re working from home just as much as when we’re in the office. Otherwise, it wouldn’t be protecting that personal data.
So stick with us as we go through 10 Top Tips on GDPR compliance and working from home. Five purely on Privacy. Five on the Security element, because security is fundamental to GDPR compliance.
You can watch the accompanying video: Top 10 Tips GDPR & WFH, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
Grab yourself a coffee and stick with us to the 10th Tip because that’s a great one that’s often overlooked and can save your liability as an individual as well as an employer.
Your employer will have a set of policies and procedures implementing GDPR compliance.
There’s probably a parent policy for each of Data Protection and Information Security, and then others underneath. They may well have a Working from Home document now – only 20 odd per cent did at Christmas time in 2019, so there was a big rush to put these in place.
But you’ll also want to refresh your knowledge on the policies and procedures on Remote Working, Bring Your Own Device, the use of Encryption and VPNs, for example, and also how to deal with a Personal Data Breach or Data Subject Rights when you’re working from home.
Part of those procedures will be about using approved systems and providers, and storing information a particular way, because likely due diligence went into planning that and selecting those people to provide compliant information, security and data protection practices, and so the employer knows where that data is, which is fundamental to both Security and Data Protection.
If you’re in Sales, it might be all customer data has to be in Salesforce.com or HubSpot. If you’re in Finance, it might be Xero et cetera. And it’s easy to fall into saving files onto the desktop of you personal machine or onto different personal drives. Do avoid that.
So if work says to use Microsoft Teams or Slack, don’t start using What’sApp. If they say use WebEx, don’t start using Zoom and vice versa.
And when you are using these services, make sure you have the same privacy and security settings as when you use them at work.
Now, working from home doesn’t change the rules on how you use data or who you share it with, so you can only use it for the approved purposes. And you’ll still need to maintain required practices, set out in those procedures we mentioned.
A very common GDPR breach is emailing unprotected attachments containing personal data, so do keep using the secure way to share data that your workplace set out. Potentially, it’s secure links.
And risk from sharing, or over-sharing, personal data aren’t just from leaving it on a housemate’s laptop. Social engineering, or blagging attacks, are higher risk when you’re working from home. This is when, for example, a stranger calls up pretending to be a customer in a panic, under pressure at work, and they’re asking for personal data.
Now, this is about working from home, but if you do go out to work in public places like a cafe, just make sure no-one can see your screen – they’re not shoulder surfing.
Here we’re talking about Data Subject Rights which are, eg, where an individual asks to unsubscribe or for a copy of all of their data. And we’re also talking about Personal Data Breaches, which is basically when a Security breach leads to the compromising of the confidentiality, integrity or availability of that personal data.
All the normal rules still apply.
You’ll need to react to those including to escalate them appropriately as you would at work and, with breach, there’s only a 72-hour period before the employer (the controller) needs to report this to the authorities if they need to, so you still do need to act as quickly.
Breach takes us fully into Security, which is fundamental to Data Protection.
It’s one of GDPR’s 7 Principles and probably the most relevant to working from home when you look at the guidance, for example, from the UK ICO, which, again, the link is in the notes.
You probably use a password manager at work. It’s an app to remember, create and manage all of your passwords. It may not be on your home devices, so check with your IT colleagues. Make sure you instal it on any device you’re using.
And while we’re on passwords, go to your home wifi’s administrator settings and change the password from the default. It’s probably stamped on the back of your router. It’ll take just five minutes and it’ll protect your own home use as well as your work use.
So as well as a password manager, do use Two Factor Authentication whenever you can. It’s fantastic for stopping password attacks. Check with your IT colleagues about their recommended 2FA app. There are loads of free ones out there, your workplace probably has a recommended one.
Again, this shouldn’t be an issue with your work kit, but if you’re using your own personal laptop or mobile, make sure they’re set to auto-update the operating system and the applications.
Many attacks make use of old vulnerabilities, for which a patch was issued but not implemented. Again, your IT colleagues will help here.
Now, encryption is one of the best security tools to manage GDPR risk. So do make sure your laptop and smartphones are encrypted and ensure other security services such as anti-virus, are up to date.
Again, your work kit’s probably been sorted for you, but your IT colleagues can help you here with your home kit, making sure you’ve got the right anti-virus software, the right encryption settings and VPN, for example.
Another security tool that is really essential when you’re working from home is having a way to remote wipe a lost device in particular. These are called Mobile Device Management tools or MDM tools. Now they are sometimes built into consumer products, but talk to work and get that put onto your home devices so if you lose your laptop, you lose your mobile, you report it in, it can just be remote wiped, and they can tell whether someone’s been into it or not. It’s really a very valuable tool when you’re looking at containing a Personal Data Breach.
VPNs brings us onto our 8th Tip.
If you’re working in somewhere public like a cafe, don’t just log into any network they give you, even if you have to sign in, unless it’s got that padlock there, it’s not a secure network. If you don’t have a VPN, there’s lots of free apps – again, work will be able to talk to you about this, but also you can just tether to your mobile!
When you tether to your mobile, that tends to create a secure, password-protected network just for you.
We humans are the major security vulnerability usually!
Security attacks based on human behaviour have spiked in lockdown. Coronavirus has given criminals a ton of opportunities to send us phishing emails and texts pretending to be Microsoft or Zoom or HMRC, or your bank, asking you generally to click on a link or download a file.
They used to be really obvious with bad spelling and silly email addresses. Now they can look very official, so a certain amount of paranoia and common sense is necessary here.
Always feel empowered to separately contact colleagues and providers that you receive emails from. That’s a really good way to check if it’s real or not.
And our last Tip!
This is key. It’s all too easy to be relaxed and to leave copies of personal data, or confidential information for that matter, lying around on the kitchen table or on your partner’s computer or leave it in a cafe, et cetera.
Keep everything as online as possible in those approved SaaS services.
Like a hiker in the countryside: close the gate after you, leave no trace!
So there we go: 10 Top Tips for GDPR Compliance while working from home.
Do use #privacykitchen to suggest the topics and questions you’d like covered.
We’ll see you back in Privacy Kitchen soon, stay well in the meantime!
Many get the Privacy rules on email marketing wrong. For a start, they’re not in GDPR as commonly thought, they were set out in the EU e-Privacy Directive, which means…
Can you recognise a personal data breach under GDPR? Well, you need to be able to, because GDPR introduced obligations on every business, as controllers, to record all personal data…