As we start to peek over the edge of COVID-19 lockdown, hopefully, and restrictions on our personal lives and businesses begin to lift, we must now review how we work and where we work.
Flexible working has been around for a long time although I, for one, have always been very apprehensive about it. Call me old fashioned but I believe it is fair to say that others are also wary; for instance, regarding trust issues about productivity, handling of data and data security. With current restrictions dictating how work can and cannot progress, it’s time to harness the benefits of the recent discovery of alternative methods of working, which can both endure such constraints and allow for the prospect that the ‘new normal’ may not simply be an about-turn to what was.
There is no escaping the fact that COVID-19 has forced businesses to do things differently, to ensure resilience and innovation in the way they can continue to function successfully. I have seen the Hospitality and retail industry revolutionise the way they promote their products as well as deliver products to their customers.
Five-star hotels and Michelin star restaurants now offer high-quality take away meals – often with a home delivery service, High street retailers have embraced opportunities to provide online sales with free home delivery or convenient collection arrangements. Private and public sector businesses have strived to continue to provide an appropriate service involving work-from-home arrangements. Public authorities have moved many of their administrative services to the home environment. Even Law Enforcement civilian and warranted officers have adapted to working from home very effectively and, not necessarily at a cost to efficiency. It shows it can be done.
So what do business leaders do now that we can start moving organisations back to full capacity? Is it a case of: Call everyone back to the office, get our IT departments (who have worked miracles over this COVID-19 period) to collect all the additional equipment we have sourced and supplied over the past three months or so. I would like to think the answer could be ‘No’!
Boards, Directors, Senior Management Teams and even owners of SME’s should re-evaluate how their business is conducted. We have seen our employees can work from home, work will get done, in many cases productivity may have increased, while sickness may have reduced. Given the opportunity, how many staff would express their preference to work from home and which could be of benefit to all?
This is not to say move everything to work from home full-time but look at a balance. For example, does this now allow for a week involving two office-based days with three home-based days, or vice versa – in other words, flexible working arrangements.
So, if this appeals to businesses and their employees what else do we need to consider? that may not be in place adequately or, may be it’s hidden somewhere within a lengthy paragraph in a policy somewhere? – Yes, you’re right to ask: How do we policy this new working model? What procedures do we put in place? How do we ensure data safety and compliance with the GDPR or relevant jurisdictional data protection law?
Data Controllers have responsibilities. By law, this includes the requirement to put in place Organisational and Technical Measures to protect the personal data being processed. The Organisational requirement involves the policies and procedures that need to be put in place, appropriate staff training, ensuring everyone understands what the policies and procedures mean, where they are and how they should be applied.
The Technical Measures should address the security put around the personal data, firewalls, cyber security, software to guard against data leaks etc. All of these areas need to be considered, with systems put in place so it is future-proofed and not just ‘thrown together for convenience’.
There are plenty of enforcement cases which can be referred to, as examples of organisations that have been fined for lack of compliance, but the majority of Data Controllers will be aware of these.
At Propelfwd, we can advise on your requirements for additional Policies and Procedures, or an ‘add-in’ to your current Policies and Procedures. We can write the policies and procedure for you and help you put them in place effectively.
Other areas to consider include:
Whether you allow your employees to use their own devices? If the answer to this question is ‘Yes’, then you need to put in place a ‘Bring your own device’ (BOYD) Policy.
Have you provided appropriate training to your employees on working from home and data protection issues? If not, Propelfwd can develop a customised online training course for your employees on this topic. Contact us, today!
We can also provide assistance with Data Protection Impact Assessments.
A DPIA can be vital to organisations, to identify the risks involved with home working, the data security, staff training needs, the home environment, the home security and internet usage. It will highlight both the likelihood and severity of any potential harm to individuals.
The general rule is:
A DPIA must be carried out where a type of processing is likely to result in a high-risk to the rights and freedoms of individuals
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpose of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks”.
If you want to know more about the legal requirements of a DPIA, refer to Article 34 GDPR, Article 16 Data Protection (Jersey) Law 2018 or Article 44 Data Protection (Bailiwick of Guernsey) Law 2017.
It is advised also, where new processing activities are adopted by an organisation or changes to a current process takes place, a DPIA should be completed by the Data Controller. This is the first step to developing policies and procedures for your organisation, you must know the risks to the organisation and know what appropriate mitigation’s need to be in place to reduce those risks.
If you are unfortunate enough to suffer a data breach and during the subsequent investigation it is shown you had not identified and considered the risks associated with the new data processing activity, you could be liable to sanctions from the Information Commissioner, which could have been avoided with the correct measures in place.
Propelfwd can conduct the required research, liaise with employees with an online questionnaire covering their thoughts on the process, how and where they will work in their home, what internet access there is, security requirements etc, identify the associated risks and provide recommendations on appropriate mitigation’s for you to put in place to reduce your exposure.
In essence, once the above measures and actions have been completed adequately you have demonstrated, as a data controller, that you are accountable and have taken this important issue seriously and that you recognise the need to protect any personal data that you process. This is not an expensive undertaking for your organisation but, if left unaddressed, it could prove to be very costly, both financially and detrimental to the reputation of your organisation.