Following the two year anniversary of the General Data Protection Regulations (GDPR), we find ourselves in a very different environment than May 2018. The recent pandemic has caused an unprecedented shift in our working environments, resulting in the highest number of people working from home in history.
As we learn to navigate our new environments, the timing of the GDPR anniversary is a reminder for us all to review our new working practices against GDPR articles and best practice. Organisations appear more vulnerable than ever before with data breach exposure. Rightly so, focus over the last two months has been on Team Members (employees), infrastructure and survival. And Internet criminals use the current situation to collect sensitive data. This makes it necessary to give information security a top priority.
The creation of access to data to support the new remote working infrastructure has also increased the risk of a breach of data. Paper documents and digital data leave the building undisturbed. Consider, for example, taking data on a USB stick that is not encrypted.
Organisations now have an increased lack of control and have a consistent struggle with the challenge of protecting sensitive data. So where are the immediate current dangers?
In the panic of the lockdown, many organisations did not have the time or capacity to set their Team Members up with company-owned devices. Many are working off personal laptops & tablets.
Personal devices are often not properly secured and data is often not encrypted. Ask yourself:
- Who has access to these devices?
- Is there protection against malware?
- When was the last operating system update run on the device?
- What levels of password security are in place?
- Are employees encrypting or pseudonymising data before it is transferred?
With Team Members working remotely while juggling families more and more will be working flexible hours, many of these will not be the regular office hours. These irregular hours must be supported. Ask yourself:
- Do you have an emergency response to a data breach that can be accessed 24 hours a day, seven days a week?
- How is your organisation notified of a data breach that occurs at 11 pm or 2 am?
- How do you shut down a network with so many remote workers?
Data protection policy & training
It is advisable to find out whether the data protection policy should be adapted to the new working environment. Ask yourself:
- How are you relaying these changes to Team Members and additionally has each Team Member had training in the new data protection policy changes?
- Is your working from home policy in line with your data protection policy?
- Are you investing time in boosting your employees GDPR expertise?
- How are you handling IT security training within the remote community of your organisation?
Next week the OASIS Group will be publishing an updated GDPR toolkit for the new working environment. A checklist to help your organisation visit issues raised above and place together an overview of where you are at in the evolution of GDPR in our new working environment.