Managing data risks in a remote world
Remote working is not a new phenomenon but, with huge swathes of the population now operating from home, the pandemic has put the data protection challenges facing employers of remote workforces in the spotlight like never before.
At a high level, the current data challenges fall into four buckets: complying with data protection legislation; protecting the business from cyber attack; ensuring licensing arrangements for remote working software are up to date; and keeping abreast of regulatory change, including in relation to Brexit.
In a Trowers & Hamlins survey of more than 200 UK business leaders conducted in the summer, cyber and data breaches were identified as the primary risks that had increased for organisations because of the pandemic. These risks in turn increase reputational risk for business leaders, and are prompting 63% of the businesses interviewed to invest in technology and training that ensures data protection compliance. Many are also planning to invest in data protection risk assessments for employees working from home (59%).
Training can have a critical role in protecting the company, according to Charlotte Clayson, Partner in the Dispute Resolution and Litigation practice at Trowers. She says: “From a compliance point of view, one of the things that people often overlook is the importance of training and culture. It doesn’t really matter how great your cyber security is, or your policies, if the people working with the data on the ground don’t have a proper understanding of the risks and what they are supposed to be doing.”
That is even more the case when people are working from home and feeling less connected. “Data protection is a massive reputational issue and making sure the business understands that at every level is fundamentally important,” says Clayson.
From a data protection perspective, the risks are increased by the fact that people are working in their own homes and need to be giving more thought to things like secure disposal of documents. Even the practicalities of where people work – if they live in a place with thin walls, for example – can have implications for keeping conversations and other information confidential .
When it comes to cyber security, the incidence of phishing attacks has increased since lockdown, with more targets being contacted via email by someone posing as a legitimate institution and lured into sharing sensitive data. That increase is partly because of weaknesses in inadequate IT systems to catch those cybercrimes, but also because employees may be less alert generally when detached from colleagues and usual working practices.
“Those attacks can cause a huge amount of damage,” says Clayson, “both to reputation and to relationships with other businesses whose information may be inadvertently exposed. There needs to be an awareness across your organisation that people are trying to take advantage of the fact that we are all a bit more disconnected and we are doing everything through our computer screens at home.”
Companies should also take steps to minimise the amount of information that is stored on IT systems other than their own. Riccardo Abbate, Partner in the Corporate and Commercial Department at Trowers, says: “Employees should be accessing the work systems using a work laptop or a work mobile phone that is controlled by their employer, and at no stage should any of the information that they are using for work be stored onto any of their personal devices. Lots of businesses currently have to function using personal phones or personal email accounts, just from a practical survival perspective, but they need to be looking at how to address this growing risk of data leaking onto systems that are outside of the company’s secured systems .”
It is not enough for management to look the other way. “You need to be proactive as a business to find out how your staff are using their personal IT resources for work,” says Abbate, “because then you can guide your staff about how they ought to deal with data, which may mean deleting it straight after use.”
He advises clients to refresh their focus on the use and storage of their employees’ personal data, the handling of customer and supplier data, and to revisit data policies for marketing and websites.
Abbate says: “Companies need to be thinking about the risks. In addition to fines and investigations by the Information Commissioner, the biggest risk to businesses is reputational if there is a data breach. Business leaders need to think again about what data they keep and how they manage it.”
One mistake many companies make is assuming that the Information Commissioner’s so-called proportionate approach means that enforcement action will be proportionate only to the size of the business. In fact, it means proportionate to the harm that is likely to be suffered by data subjects in the event of a breach, so even the smallest high-street business can be fined a lot of money if it holds a high volume of sensitive personal data and does not treat it correctly.
Licensing is another area where many businesses might have dropped the ball during the pandemic. With so many staff now working from home, there is a risk that software licenses that previously covered large groups of employees will now not be sufficient.
Abbate says: “That just needs to be checked and is not something you should assume is okay. Because we are no longer in the office, we can’t share things in the way we could before, so maybe the current licencing basis for software used by a business might need changing. Previously you might have had one site license covering people in a single office, but now you might need a licence for each individual user.”
Finally, organisations need to be mindful that the pace of regulatory change has not stalled as a result of Covid-19. On 16 July 2020, the Court of Justice of the EU issued its landmark Schrems II decision, looking at international data transfers to the US. Crucially, that means companies can no longer rely on the EU-US Privacy Shield when sending data to the US, because the voluntary framework basis on which the Privacy Shield was based coupled with other relevant factors was found to be inadequate to protect data subjects within the EU. .
“The effect of the rejection of the US Privacy Shield can be addressed by having appropriate contractual terms between you and your counterparty in the US, based on the so-called standard contractual clauses set out in the legislation for cases of data transfers that are controller to controller or controller to processor ,” says Abbate. He says, “It’s a solution that companies have to be aware of. Companies can, of course, add further restrictions and obligations on the US recipient of the data, but such obligations must at least be to the same standard set by the standard contract clauses. However, simply adding the wording is not enough, as you also have to consider, prior to the data transfer, whether the relevant environment in the country receiving the data will ensure that the standard contractual clauses will have meaningful effect. For example, would a judgement in the UK regarding a breach of the standard contract clauses be enforceable in the recipient country, or does the recipient country allow government authorities to access personal data for their own purposes? If the level of protection for the data subjects of the data being transferred is not equivalent to the applicable EU or UK standards, use of the standard contractual clauses alone will not suffice as a basis for lawful transfer of data. ”
Finally comes the question of Brexit, which has the ability to up-end the rules governing personal data transfers between the UK and the EU. Abbate explained, "The UK government has already clarified that, at the end of the transition period, transfers of data from the UK to the EEA will be permitted so as to ease the transfer of personal data from the UK to any EEA country. It says it will keep this under review and that it intends to recognise EU Commission adequacy decisions made before the end of the transition period."
"The United Kingdom is seeking adequacy decisions from the European Commission in order to maintain the continued free flow of personal data between the EU and UK and Gibraltar. Given that the UK data laws are currently at least as stringent as the EU's given that it is based on the GDPR, it should be reasonable to expect, politics aside, that the EU will give adequacy decisions, but that has not happened yet", says Abbate
For businesses, the lack of clarity is unhelpful and the ongoing Brexit negotiations need to be watched carefully.
What is clear is that data protection and cybercrime concerns remain top of the agenda for the UK’s corporate leaders, and should arguably be in even sharper focus as we continue to embrace new ways of working.