Working from home, whether full time or hybrid, is still common practice following on from the Covid lockdown era. You might have employees who spend some of their time working remotely using office laptops and other hardware or you might allow employees to use their own devices and access company software. Both of these options come with their own risks but with a bit of due diligence you can ensure your company and employees stay on the right side of the law. |
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
Anyone who uses personal data must follow ‘data protection principles’ and ensure the information is used fairly and within the law. Personal data must only be used for specified purposes and needs to be limited to what is necessary. Find out more about the Data Protection Act 2018 here.
Minimise the Risks
Employees who work from home and that handle personal data must be fully trained on GDPR and how it affects their working practices. All employees must use strong passwords – it’s hard to keep track of passwords so password managers are a great tool to keep them safe and secure. Encourage your employees to use a VPN (virtual private network) when working from home as an extra layer of security.
The use of company devices is the most expensive option (but most secure) for employees who work remotely. The devices should be able to be supported and updated remotely and measures should be put in place to prevent data loss.
If your employees wish to use their own devices for working from home there are considerations you need to take into account before authorising in order to help prevent data protection and security breaches:
- Ensure your employees have up to date software (including operating system).
- Bear in mind the likelihood of family members or other members of the household seeing sensitive data.
- Do other members of the household share the devices? If so, how can you ensure sensitive data is not shared?
- Encrypt sensitive company data – there are multiple third party hard drive encryption software solutions.
- Discourage the practice of storing or transferring sensitive data to insecure storage devices such as USB sticks.
Security Checklist:
- Up to date policies for remote working.
- Make sure all your employees (and you) are fully trained on data protection and how to remain secure when working remotely.
- Guidance on working remotely for all employees.
- Ensure all employees use strong passwords and utilise multi-factor authentication where possible.
- Ensure employees use company email addresses when dealing with sensitive data.
- Control access so that employees only have access to the data they need and nothing more.
- Ensure all employees have up to date antivirus software installed (and turned on) on any personal device being used for work.
- Ensure you use a corporate VPN to keep connections secure.
When Employees Leave
To protect against data loss you need to make sure you remove access to the company email address immediately. Remove access to all applications and disable, retrieve and wipe any company owned devices.
On leaving, ask the employee to sign a document acknowledging they have returned any company owned devices and that they haven’t kept any company data.