Many businesses have needed to adapt and embrace remote working. For many, this can raise new working practices and question how data is managed with a distributed workforce. In our series of advice and insight for business around Covid-19/Coronavirus, we want to cover off how this will impact processing personal data. This is especially important now that many firms have staff working from home. The Information Commissioner’s Office’s (“ICO”), the UK’s data and privacy regulator, has issued guidance for organisations on processing personal data during the Coronavirus outbreak. This covers, among other things, how businesses should make sure that they maintain data protection compliance, practices and standards including how data is shared. If you have staff working remotely you need to consider how you put appropriate technical and organisational measures in place to protect the personal data of others, especially your clients.
We want to provide clarity on how to comply with GDPR in this new working environment. We have distilled these recommendations to a 6 step checklist for you to follow:
1. Make someone responsible for data
Most organisations who process personal data will have already have appointed a contact within the organisation to be the centre point for queries about data processing, often known as a data processing manager or data protection officer. This contact point should also be given responsibility for making sure that just because staff are home working, the standards for data protection do not slip. This name and contact details for example ([email protected]) should be made available to all staff.
2. Add enhanced technical and organisational measures
You should issue guidance or policies on How to work from home when processing personal data. This includes:
providing staff training on GDPR obligations
adding encryption to accessing IT servers
adding additional log on or password protections to access the servers
rules on closing down screens – in particular, if the home is occupied by others.
This may appear heavy-handed, but it does represent what most businesses adopt in the office environment and now, should cover off when staff is working from home.
3. Update Privacy Notices
This is not just for large businesses, we recommend updating the organisation's GDPR Privacy Notice to add that during exceptional circumstances (such as a health pandemic), some personal data may be accessed and processed remotely. The measures that you have been put in place should be detailed, for example, enhanced log on stages, encryption measures, document security, and additional staff training. The GDPR Privacy Notice should be displayed on the organisations website and where practical, the revised notice should be sent out to affected individuals. It will depend on the purpose behind the processing and what the lawful ground for processing is, but it may be necessary to get the individuals’ consent to the new way of processing.If you need advice on updating your Privacy Notice you can contact our GDPR lawyers.
4. Record decisions made about how data is processed
It is important that when a change in working practices is decided upon, the outcome is clearly detailed and to record how you reached that decision. This should include noting that staff is permitted to work at home but that each staff member gives their agreement that they will meet the measures put in place by the employer/organisation.
5. Team training
Organisations should provide teams with training (or refresher course) to understand the importance of the data protection measures and their compliance. Lawbite can help by providing expert data protection legal advice to ensure all the right topics are covered.
6. Notify breaches
Organisations must keep aware and comply in the event of any breaches. The nominated data protection official must maintain a record of any such breaches and respond accordingly and act to ensure any breach is resolved swiftly.
We would be remiss not to mention that the ICO does have extensive powers to investigate organisations. There have been some notable fines, from hundreds of thousands to millions. ICO have said that they will not penalise organisations who have to prioritise other areas of their business, or have had to adapt their usual business practices. However, even with the uncertainty that is going on, businesses still must make sure that they actively comply with the principles of protecting individuals’ personal data.
Whether you are a small, medium, or large organisation, receiving a subject access request (SAR) or data subject access request (DSAR) and handling...
LawBite can help you
LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.
Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.
Lawbit Limited (trading as LawBite)
Correspondence Address: Studio 403, 332 Ladbroke Grove, London W10 5AD
Registered Address: 39 Long Acre, London, England, WC2E 9LG
Our lawyers provide legal advice working through Lawbriefs Ltd.
Lawbriefs Ltd is authorised and regulated by the Solicitors Regulation Authority (SRA number 622808)