Coronavirus (COVID-19) Data Protection - The keys to securing agile or home working

Stone King

Now that Covid-19 has now been declared a global pandemic, our preparedness for homeworking is being tested.

Organisations where agile working is the norm, will already have adopted systems and equipment to maintain business operations and manage the risks of working “beyond the perimeter”. Others will not.

Although it may be unplanned, now is the time to look at how you enable your distributed staff to collaborate. Doing this now will pay dividends in the future, long after the current threat of Covid-19 has gone away.

Right now, in the midst of Covid-19, GDPR may not feature strongly (or at all) on your list of considerations. But there are 2 big reasons why it should. First, protecting personal data will remain your statutory obligation under GDPR, regardless of whether it is being processed onsite or from your employee’s homes and their personal devices. (Remember, under GDPR, you have a statutory obligation to take appropriate technical and organisational measures to protect personal data.) Second, new data security risks are likely to emerge as attackers exploit the Covid-19 crisis to launch new phishing attacks and identify vulnerabilities in your security measures.

If you are reliant on your staff using their own personal devices to work from, it is critical to deploy Bring-Your-Own-Device (BYOD) measures.

Bring-Your-Own-Device (BYOD) is the use of employee-owned devices to access the employer’s network or content

BYOD comes in many guises. For example, staff accessing their email from their personal smartphone or working from a home PC or personal laptop. However, if you plan to rely on BYOD, it needs to be GDPR-compliant.

The first thing to understand is that BYOD will increase security risks and the likelihood of a data breach occurring. The reason for this is that although your organisation remains the Controller of any personal data being processed, it does not legally own the device upon which it is being processed. You will become reliant on your staff properly securing their device, recognising GDPR risks and how to mitigate those risks.

Here at Stone King, we embraced agile working some time ago so its “business-as-usual” in spite of Covid-19. All of our lawyers and critical support staff regularly work remotely / home-work from secure laptops that access the firm’s network via a secure Virtual Private Network (VPN). This way of working is not only popular with staff, it also provides critical business resilience to the provision of services, allowing us to continue to support our clients in spite of Covid-19.

Here are our 10 top tips for adopting BYOD from ground-zero:

  1. Remind all staff of their obligation to protect personal data when working away from the building.
  2. Remind all staff that data breaches can cause real and significant harm to individuals and result in enforcement action (including substantial fines), adverse publicity and unwanted scrutiny.
  3. Any device that is used for work, including personal devices, should be protected with end point security such as up to date Antivirus, malware and Personal Firewalls etc.
  4. Refresh and re-circulate your BYOD Policy to all staff. If you don’t have a documented BYOD Policy, we can quickly provide you with one that is tailored to your organisation.
  5. Any device that is used to store or process personal data should be encrypted with a password. (noting that not all passwords double up as encryption.). This includes for example, personal smartphones, personal laptops, USB memory sticks, home PCs and printers.
  6. Protect personal data from being accessed or seen by others including friends, family and the public. Do not share passwords or access credentials.
  7. Lock your screen when stepping away from work. Log off at the end of working and ensure that personal data is locked away.
  8. Work stored on personal devices should be securely backed up. Ensure that it can be retrieved when required in a timely manner.
  9. Post crisis, ensure that staff securely transfer all personal data back to your system and delete all copies from any personal device and backup.
  10. Alert staff to be vigilant against emerging new risks such as phishing attacks.

Stone King’s specialist Information Law Group provides novel and responsive solutions to all types of business. It is led by a core of lawyers that have specialist qualifications and long-standing expertise.

Paula Williamson
Partner, Head of Information Law
Stone King