Hybrid working and data protection
It’s hard to believe that more than a year has passed since much of the employed world was sent to work from home. At the time, we wrote about the potential impact of homeworking on data protection, and outlined some simple checks organisations could take to ensure their data was kept secure. Like many, we thought this would be a temporary solution before we were, for the most part, back in the office. Now, it looks like a hybrid model of home and office working is here to stay.
Over the past few months, we have seen several major companies announcing permanent changes to where their staff work. A recent study from McKinsey found that the proportion of employees showing a preference for hybrid working had increased by more than one-fifth (22%). The study also revealed a 25% decline in the number of staff who wanted to work full-time in the office.
While many companies have put systems in place to allow a successful mix of in-office and at-home working, research has demonstrated the potential knock-on effect this can have on data protection.
In IBM’s latest ‘Cost of Data Breach’ report, 70% of respondents believed a remote workforce would increase the cost of a data breach. The main reason for this is that it takes longer to identify and then respond to a security incident if you are not onsite to deal with it. Similarly, a survey of 200 IT and cybersecurity professionals last year from Malwarebytes revealed that remote workers caused a security breach in 20% of organisations.
So, how can organisation securely manage data in a hybrid working world? How do you keep a handle on how your data is being used - and ensure the safety of that data - when your workforce could potentially be using different networks or devices and a variety of digital tools, from video conferencing to file sharing?
And, importantly, how do you keep a workforce engaged in the important role they play in the success of meeting data protection obligations, when you’re not in the same physical work environment?
There are some key principles to remember when it comes to de-risking remote working:
- Avoid a blanket ‘access to everything’ approach – while there is a temptation to let everyone have access to all things, there is a need to balance the requirement to work remotely with appropriate data access and security. This will require regular review in light of a more permanent switch to hybrid working, but will be time well spent to avoid a potentially damaging data breach.
- Discourage local storage of data – using approved online systems and educating employees on the benefits of having central access is vital. In the immediate aftermath of the pandemic, organisations may not have had the resources to ensure everyone was adhering to best practice, but they cannot afford to let this go unchecked indefinitely.
- Regularly review security standards – it is still imperative to have minimum security standards for remote devices, such as disk encryption, strong passwords and VPN for internet connections and privacy screens.
One of the biggest challenges is keeping employees engaged with compliance issues when they are working from home. Ensuring data protection is front of mind was tricky, even before Covid-19 hit. So, what steps can organisations take to ensure they turn the work-from-home era to their advantage from a data protection perspective?
- Make the permanent move to a digital data storage system - One of the main opportunities that has arisen from the increased use of digital solutions is that it can really reduce the perceived need for paper-based systems. This change in habit i.e. moving from an outdated ‘hard copy’ system to having all data stored on a secure online platform, is crucial to increasing both efficiency and security for organisations. Having a common digital platform for people to interact on and with can really help drive engagement on compliance-based activities.
- Use ‘extra’ time to train - With people spending less time commuting or travelling, there is potentially more time to dedicate to compliance-based activities. Ensure there is a regular programme of best practice training in place to embed a positive data culture within the business. Digital tools mean that you can be more flexible and aware of people’s individual circumstances by arranging virtual training sessions or updates that are easy for people to attend.
- Be visible - Even if that is not physically possible, the DPO, or person responsible for data protection, still needs to be ‘go to’ person for help and support and regular communication will continue to be crucial. In addition to training, think of other ways to ensure data management is front of mind, perhaps using other internal communications channels such as e-newsletters or the intranet.
The past 15 months have seen a huge change in how we work. However, when it comes to good data protection, the key principles still apply – as we outlined in our recent ‘Data Protection Made Easy’ guide - whether you are in or out of the office.
To book a demo of The Compliance Space, please click here.