Measures being introduced to tackle the COVID-19 coronavirus mean that many organisations are having to consider how their employees can work remotely for the first time.
Whilst these are extraordinary and challenging times, the ICO has stated that companies which require employees to work remotely will still need to consider the same kind of security measures for homeworking that would be used in normal circumstances.
Whether this is to cope with individuals who may not be sick but have been advised to enter self-isolation, or in response to formal guidance, remote working introduces new data protection and operational risks that organisations will need to review and mitigate.
These are the 5 top challenges your business will need consider when introducing remote working:
How will your existing processes be affected?
Some processes will be easier to move to remote working than others, so it’s important to firstly identify and thoroughly understand how all of your processes operate. You should establish:
- Which processes are critical and/or high-risk?
- Are there any processes that require someone’s physical presence to complete? This includes any processes to maintain your IT infrastructure.
- Have you locked any systems down so they can only be accessed from the office, or only from specific named IP addresses?
- Do you have any paper-based processes or processes that cannot be easily moved online?
It is much easier to get a handle on this if you have comprehensive, up-to-date process and data flow maps. If you don’t, I would suggest you begin by identifying and mapping your critical and high-risk processes – these are the ones where any problems will cause the biggest impact.
What effect will home working have on hardware?
It is important to understand what equipment people will need in order to work from home. This may include:
- Internet access
- Computer equipment
- Filing cabinets
- Secure authentication devices
Some individuals may not have all the equipment they need, or it may not be fit for purpose. For example, it is likely that most households have only one WiFi router which is used for all purposes, and may not have had any default settings changed.
It is important to understand how domestic equipment affects information security and data protection, as this will highlight what risks may be introduced and the information your employees may need in order to control those risks.
It’s also necessary to understand what effects the increased range of equipment will have on your IT team’s ability to provide helpdesk support, and particularly around securing devices and the information on those devices.
Who else will have access to information?
Most households are accessed by people who would not ordinarily be able to enter office premises. It is important to understand the risks associated with this, such as:
- Is the household accessible to someone with a relevant criminal record, such as fraud?
- Will the remote worker be using shared equipment, such as a family computer?
It may be that home working has different risks for different individuals, and it is important to consider whether the individual will need any additional training or equipment in order to protect information processed from home.
Will you need to introduce any new technology?
In order to facilitate home working, it’s very likely that you will need to increase your teleconference and video conference capacity. This may mean introducing new technology such as Microsoft Teams, Slack or Zoom.
Carrying out a Data Protection Impact Assessment (DPIA) will do more than just help you assess the data protection risks associated with this – it will also help you think through the challenges associated with switching from face-to-face to virtual meetings.
These could include:
- How will employees share information with each other?
- Who will need to be able to join a video or phone conference? Just your employees, or third-parties too? How will you limit access, especially when sensitive issues are being discussed?
- What support will your employees need to successfully install and use the software, and how will you provide this?
How will you manage home working staff?
It may be tempting to introduce new technologies to monitor employees that are working remotely. However, there are risks associated with this – especially if individuals are being monitored in their own homes, are using their own devices, and may even be sharing devices with other users.
You should be able to document and demonstrate that the benefits of any monitoring technologies outweigh the risks to the monitored individuals. If you cannot clearly demonstrate this, you should not implement the technology and should consider other management methods.
Data protection law should not be seen as a barrier to increased and different types of remote working, but as necessary practice to ensure your organisation and employees are still kept as safe as possible in different working environments. Whether home working is an occasional requirement for self-isolation or the start of a new working pattern for your organisation, taking the care to ensure your remote working operations will run securely and effectively will be a huge benefit your organisation in the long term.
Camilla Winlo is Director of Consultancy Services at DQM GRC