Last week the UK Government u-turned on its recommendation for employees to return to the office and the official position is now that employee’s should work from home ‘if they can’.
It is difficult for many employers to justify bringing their staff into the office when they have already demonstrated earlier in the year that their role can be performed adequately at home, and with many employees keen to ditch the commute, it is likely that bosses will have to concede on the matter, whether they would prefer their team in the office or not.
But many organisations, particularly smaller ones, are failing to address the potential breach of GDPR regulations that arise as a direct result of an employee working from home. This could expose them to a data breach claim made against them, which could be costly as compensation paid for breaches can easily run into the thousands.
Andy Chesterman, Compliance Director at Privacy Helper, a company that specialises in helping companies comply with GDPR and data handling requirements told us that he had seen a lot of breaches and challenges for businesses while their teams have been working from home. Sometimes, putting processes in place to be compliant means hiring IT experts, and investing in servers or software and many firms are simply ignoring their obligations because it is expensive.
“Many firms are allowing employees to use their personal laptops at home to carry out their work, as they would normally use a fixed desktop in the office and cost of supplying each person with a new laptop is an expense they would prefer to avoid. Company property tends to have the latest security patches installed – and some company laptops will not allow external USB’s to be used. Consider this if using your own laptop or PC temporarily – does it satisfy your company IT policy?
If personal machines are used “temporarily”, is all personal data (emails, client data, etc) deleted from the personal machine after use, or does it get forgotten about? And if you are remotely dialling into the work server, are you using a VPN to secure your line? In usual circumstances, you’d log into the work server while in the office – a secure environment. Your home WIFI may be less secure, therefore, compromising the security of the data being accessed”.
There are however many other potential breaches that are often overlooked once an employee is in their own personal space. DRM Legal, a law firm handling claims on behalf of those who have had their data breached have seen an uplift in claims for compensations in 2020 as a direct result of lax processes while working from home.
Chris Saltrese, Senior Partner at DRM Legal shared with us some examples of recent enquiries his practice has received, such as an incident where a marriage counsellor was working out of their home office and private paperwork relating to another couple was not safely filed away and confidential details were visible. In this unusual case, the client actually knew the couple whose paperwork they had seen and had mentioned to them in passing conversation that they were using the same marriage counsellor!
Chris told us, “It is vitally important that files and paperwork containing personal data is locked away safely, where other family members and visitors cannot see those details. A number of GP’s, nurses, solicitors and social workers are now working full-time from home and have in their possession very sensitive data relating to someone’s medical or criminal history. It would not be unusual, particularly in small towns and villages, for spouses, teenage children or extended family members who visit the home to personally know the individual whom the file relates to. If that file is casually left on the dining table or out on view this could lead to a very serious data breach, and subsequent claim for compensation”