Many businesses have needed to adapt and embrace remote working. For many, this can raise new working practices and question how data is managed with a distributed workforce. In our series of advice and insight for business around Covid-19/Coronavirus, we want to cover off how this will impact processing personal data. This is especially important now that many firms have staff working from home. The Information Commissioner’s Office’s (“ICO”), the UK’s data and privacy regulator, has issued guidance for organisations on processing personal data during the Coronavirus outbreak
. This covers, among other things, how businesses should make sure that they maintain data protection compliance, practices and standards including how data is shared. If you have staff working remotely you need to consider how you put appropriate technical and organisational measures in place to protect the personal data of others, especially your clients.
We want to provide clarity on how to comply with GDPR in this new working environment. We have distilled these recommendations to a 6 step checklist for you to follow:
1. Make someone responsible for data
Most organisations who process personal data will have already have appointed a contact within the organisation to be the centre point for queries about data processing, often known as a data processing manager or data protection officer. This contact point should also be given responsibility for making sure that just because staff are home working, the standards for data protection do not slip. This name and contact details for example ([email protected]
) should be made available to all staff.
2. Add enhanced technical and organisational measures
You should issue guidance or policies on How to work from home when processing personal data. This includes:
- providing staff training on GDPR obligations
- adding encryption to accessing IT servers
- adding additional log on or password protections to access the servers
- rules on closing down screens – in particular, if the home is occupied by others.
This may appear heavy-handed, but it does represent what most businesses adopt in the office environment and now, should cover off when staff is working from home.
3. Update Privacy Notices
This is not just for large businesses, we recommend updating the organisation's GDPR Privacy Notice to add that during exceptional circumstances (such as a health pandemic), some personal data may be accessed and processed remotely. The measures that you have been put in place should be detailed, for example, enhanced log on stages, encryption measures, document security, and additional staff training. The GDPR Privacy Notice should be displayed on the organisations website and where practical, the revised notice should be sent out to affected individuals. It will depend on the purpose behind the processing and what the lawful ground for processing is, but it may be necessary to get the individuals’ consent to the new way of processing. If you need advice on updating your Privacy Notice you can contact our GDPR lawyers.
4. Record decisions made about how data is processed
It is important that when a change in working practices is decided upon, the outcome is clearly detailed and to record how you reached that decision. This should include noting that staff is permitted to work at home but that each staff member gives their agreement that they will meet the measures put in place by the employer/organisation.
5. Team training
Organisations should provide teams with training (or refresher course) to understand the importance of the data protection measures and their compliance. Lawbite can help by providing expert data protection legal advice
to ensure all the right topics are covered.
6. Notify breaches
Organisations must keep aware and comply in the event of any breaches. The nominated data protection official must maintain a record of any such breaches and respond accordingly and act to ensure any breach is resolved swiftly.
More about Coronavirus
ICO can and does issue fines for non-compliance
We would be remiss not to mention that the ICO does have extensive powers to investigate organisations. There have been some notable fines, from hundreds of thousands to millions. ICO have said that they will not penalise organisations who have to prioritise other areas of their business, or have had to adapt their usual business practices. However, even with the uncertainty that is going on, businesses still must make sure that they actively comply with the principles of protecting individuals’ personal data.
These are extraordinary times. As working practices evolve, the way we handle personal data should evolve too. While compliance could lead to updating how your business processes personal data, these measures will stop exposing your business to some potentially significant consequences. For more information, you can contact our GDPR expert lawyers on 020 3808 8314 or here
to receive a free 15-minute phone consultation. We can guide you through the maze of compliance with GDPR obligations. LawBite is a virtual platform that connects SMEs to expert legal advice. Designed from the outset to pioneer a better way of providing legal services on-line, LawBite delivers an end-to-end process that handles enquiries and case management seamlessly via the telephone, computer and an app. Customers accessing the LawBite cloud computing platform connect to 50+ qualified lawyers and benefit from a faster process and fees 50% of high street firms. As SMEs turn to a new distributed workforce, remote working practices, and the gig economy, LawBite is at the forefront of this new order, making legal advice easier to access, understandable and affordable.
The author of this Blog article, Rachel Robinson.