An appropriately qualified and senior person within the business should have carried out a risk assessment and review of the firm’s data protection procedures and to ensure they allow for safe and compliant home working. Those already working from home should still review procedures on a regular basis to ensure they are up to date, but for some who have only ever worked from an office they may not have considered the risks from working remotely at home. Firms should have a ‘data map’ under GDPR which details what information is collected, how it’s used, who has access etc. This should clearly show the movement and storage of customer data and allow you to easily check the data is managed compliantly. We would recommend this is reviewed to enable you to quickly identify the movement of customer data and if needed take action to install any measures to protect that data.

In the past it is likely all data (excluding separated back-ups) has been held in one location either using an on-site file server, cloud storage or similar solution. Similarly, landline phone calls may come through to a number within the office and you may even see customers there so their data can be copied and originals taken away when the customer leaves. Premises will be secured, systems protected and disaster recovery and business continuity procedures in place to enable you recover data and to restart without undue delay.

 

With home working many if not all of these procedures are likely to be different and the risk of a data breach much increased. Measures to consider include:

- Staff should ideally work on IT equipment provided solely for work purposes OR where they do use their own personal computers they should be logging in to the firm’s systems via a secure VPN and not running these or storing data on their local machine. If not then there is an increased risk of potential malware or virus attacks, risk of inadequate data back up and lack of adequate ‘localised’ security if the equipment is used by other family members or is not kept up to date with security patches. Staff may opt to send emails from personal accounts or take a “make do” approach for ease, but the crisis does not afford firms an excuse in the event of a data breach.

- Staff taking or making calls from home should take care that conversations are not overheard. Customer information and/or computer screens should not be left on view and computers secured with password protection and locked or turned off when not in use.

- What precautions do you have in place for physical paperwork or where there is a need to print items off to either post or work from? In the office you will have a cross shredder or use a secure disposal firm to deal with paper waste. What measures have you put in place for staff working from home?

- If you rely on paper files or maybe you process a case on a paper file before scanning, what do you have in place for staff holding these files at home? Paper work should be locked away from the risk of theft or returned to the office and secured in the normal storage place.

- If staff are using personal computers or other personal devices are these protected from malware, ransomware and virus attacks? You may have this protection on your office equipment but are all devices used by staff, personal or business issued laptops or tablets also protected with suitable firewalls and anti-virus software? Staff should be warned to not open unknown links in emails and take extra care to prevent malicious attacks.

- If staff are travelling back and forth from an office to collect or drop off files and correspondence they should take care to keep these secure and not left on view or certainly not in an unattended vehicle. Reducing the travel of data will reduce the risk.

- Computers may be protected but do staff also hold or move data on USB sticks or other portable storage devices? These can easily be misplaced, damaged or lost during transport and then any data held on these is at risk. To reduce risk of loss data should be encrypted and password protected. Use of cloud storage (once you have subjected this to appropriate due diligence) may reduce the risk of data transfer.

 

Firms should review procedures and ensure staff are trained and copy the process they would undertake in an office environment, including verification of customers on calls, clear desk policy, locking computers and securing all data. Staff should avoid taking notes or customer details particularly card details on scraps of paper which may not be disposed of securely.

If you require a data protection audit or process review, please get in touch.