These days, especially following the COVID pandemic, the emphasis on the importance of employers to prioritise the work-life balance of their employees has only grown. It’s more common now than ever for staff members to have more flexibility by being able to work from home and make adjustments to their hours to better fit work around their home life. As part of this ongoing progress, there were new changes to flexible working arrangements made in April this year.
The new flexible working legislation has removed the requirement for an employee to have completed 26 weeks of continuous service before they can request to have flexible working. This means that there will likely be (if there is not already) a rise in the number of employees who have a hybrid/flexible working environment.
Whilst it’s generally a positive thing that there is a growing balance between work and home life, it has, like many things, raised some additional concerns when thinking about data protection and cybersecurity.
What do you need to consider when working remotely?
Providing the ability to work from home opens up an organisation to additional risk when considering personal data. There are a couple of things that we as individuals can do when we are working remotely to help reduce that risk.
When you are working from home, make sure that your family can’t see your screen, particularly if you are dealing with special category data. You should also try and make sure that conversations aren’t overheard, whether this be phone calls or virtual meetings.
When working remotely somewhere public, like a coffee shop or train, the above becomes even more important, but there are a couple of other things to bear in mind. Firstly, public WiFi usually doesn’t have much security on it, which opens up the risk of infecting your work device (or personal device) with malware, which in turn can compromise your organisations systems and the personal data stored in them. Secondly, when working in public, you should never leave your device unattended.
It may be harder for screens to be kept away from ground level windows at home.
Space at home is likely to be more limited than in the office. This doesn’t just mean a little less leg room, but it can also imply a weakness in security. Having the work computer right by a window on the ground floor leaves the data on your screen vulnerable to peeping toms. To protect data, you have to keep it out of sight – and that of course, includes strangers that might stroll past your window.
Personal Wi-Fi might not offer the same level of protection as office Wi-Fi.
No matter how secure you think your home network is, it’s always possible that it’s just not as well-equipped as your office’s Wi-Fi. It is also worth considering that although most routers today have the capability to encrypt, this is a setting that needs to be enabled through the router settings, a fact that many individuals may not be aware of.
How can staff protect data whilst working from home?
So how can these vulnerabilities be handled? How can organisations like yours offer their employees flexibility to keep them happy, while not throwing the personal data your company processes at the mercy of less secure environments?
Implement flexible working policies
The first thing you should consider is whether your organisation has robust policies and procedures in place that relate to acceptable use and working remotely. It’s important that employees aren’t just given the policies to read and sent on their way. They need to be thoroughly read and properly understood, and employees need to be fully aware of what their responsibilities are when working from home, and why.
A good policy should contain the what, the how and the why. They should also include information such as:
- Always locking screens when stepping away from the device.
- Keeping screens away from eye level windows as far as possible.
- What websites employees can and cannot access from a work device.
- Prohibiting work devices for use of personal purchases.
- Ensuring accounts are logged out at the end of the day.
- Ensuring secure passwords are in place.
- Prohibiting the download of any programmes/software without prior approval.
Depending on your organisation, one policy may not be enough to cover all areas, and to truly encompass all considerations and responsibilities you will need a full suite of flexible working policies. This should include:
- A Working From Home/Flexible Working Policy – To set out individuals responsibilities when working away from the office.
- Bring Your Own Device Policy – To set out what individuals need to consider when using a personal device for work.
- Remote Access Policy – To set out rules that define how employees can connect to the companies networks and systems whilst working remotely.
- Mobile Device Management Policy – To set out the rules and responsibilities of employees when using company owned/personally owned devices in the course of their employment.
- Data Protection Policy – To ensure that employees understand their data protection responsibilities apply both when they are working in the office, and remotely.
Provide training for staff
Adequate training is another key contender for things to consider when introducing a hybrid/flexible working environment. Providing training is a great way to get information across to employees, especially as reading policies can be an arduous task for some.
It is important that this training enables employees to understand why cyber security and data protection is so important, and how their own actions can significantly help/impact the overall security of the organisation.
Having in place a strong training programme means that employees will have knowledge of data protection considerations which should be applied when working remotely. Training should contain information about the extra considerations when working remotely, for example avoiding connecting to public Wi-Fi when connecting to the organisations systems, and to not leave devices unattended when outside of the office.
Employ technical measures
Unsecured networks are a risk as data can be intercepted by hackers, which could prove to have significant consequences for both the organisation and any data subjects involved. For this reason, technical measures should also be put into place, such as providing employees with anti-virus/anti-malware software for their work devices, and virtual private networks (VPNs). This will give you some peace of mind when employees are working from home, as these measures will provide extra layers of protection from external factors.
Providing flexible working without compromising data security
With the rising prevalence of working from home, it’s important that you consider the risks associated with employees working from home. As long as you ensure that there are measures put in place to help employees understand the cybersecurity and data protection risks they will be responsible for mitigating, they can enjoy the benefits of working from the comfort of their own home without putting data at unnecessary risk.
Need some support?
For additional guidance on employment information, the ICO has lots of guidance and resources here.
Additionally, if you need an expert team that can provide staff training, review your organisation’s data protection practices, policies, and procedures, and provide professional data protection advice, we’re the ones to call. Get in touch with us to find out more.
