Guernsey’s data protection regulator, the ODPA, has announced that it has reached agreement with the States of Guernsey over transitioning to a self-funding model. The updated data protection legislation is now a little over two years old, but the scale of the task of implementing a framework for oversight has been significant. It is not surprising that core areas of implementation have taken priority, but nevertheless it is important to recognise this as a milestone development.
Many of the concerns raised by businesses relate to the differences in approach across various jurisdictions. Operating in a digital and global marketplace brings both benefits (in terms of access to new markets) and challenges (meeting regulatory requirements in those markets). The guide aims to simplify those issues and provide clarity on core operational matters, which will assist in planning new products or services, or adapting strategy to mitigate the additional risks.
Regardless of whether the jurisdiction in which you operate remains in some form of lockdown, or is relaxing restrictions, we have all had to adapt at least some processes and procedures to take account of working remotely. Even those who are used to the practice have had to consider the practicalities of limited access to physical premises, files or contact with other colleagues or contacts.
For others, adapting to an entirely new way of working has brought many challenges, tested existing behaviours and procedures and no doubt brought about a few sleepless nights. Many of the issues we have identified or worked on with clients relate to adapting to working remotely, taking into account their existing regulatory obligations, but modifying their solutions to deliver practical and pragmatic compliance.
The pandemic continues to affect jurisdictions to varying degrees and it is important to recognise that whilst for some, the pandemic appears to be passing, for others it is a problem that remains all-encompassing. Nevertheless, as governments adopt strategies designed to reinvigorate economies, relax restrictions and start planning for the future, many of the issues arising over the past few months continue to be relevant in the “new normal”. Indeed, the pandemic has driven digital transformation in many businesses at a pace that would likely otherwise have taken several years.
Since information management remains one of the top concerns on the list, we consider some of the problems and considerations Covid-19 presented and which we have seen affecting businesses in recent months.
What steps are employees taking to safeguard paper files and/or records, notes of calls, etc. whilst working from home? Are papers being locked away when the employee is away from their “virtual” office? Do other members of the household have access to their papers, devices, etc.? This is a particular concern for shared households.
The issue extends to calls – can other people hear what is being said on a work call? If the windows are wide open to accommodate good weather, is the conversation capable of being heard by passers-by (for example).
Consider amending/updating your policy on data management and security to take account of some practical considerations around working remotely, such as those listed above. Involve employees in discussions around issues they face to ensure the policy is workable. Communicate it to employees so they are aware of what is expected of them and provide training where required.
Internet connection varies enormously, and is inevitably not as good/swift as that provided by the office environment, which takes some getting used to. Frustration at the time taken for documents to save, emails to be sent or calls to be connected can lead to individuals deciding to use their own devices for storage, calls, etc. This can lead to business communications or documents being stored or sent/received on personal devices.
Not only are these devices less likely to be as secure as work-issued devices, but searches of document management systems for such documents will not capture these items, bringing with it the risk that actions are taken on incomplete information.
There is also the risk that if a personal device has been compromised, access details to the work system, or other confidential information could be compromised.
Consider amending or updating your policies to reflect the additional risks of continued remote working, and consider running additional cyber security awareness training to improve visibility of the issues. Reiterate messaging around any prohibitions on downloading work documents to personal devices and conduct test “phishing” exercises to highlight issues around business email compromise attacks.
The use of digital conferencing facilities has grown exponentially, given the inability of people to meet in person. However, there have been well-documented security concerns highlighted in the media.
Whilst the pandemic has forced some changes in order for businesses to continue operating effectively, that does not mean that they necessarily should become embedded. Take time to consider the platforms available, their security features and the risks of compromise before choosing one for your organisation.
Explain any restrictions on usage, appropriate dress codes and conduct on such calls, and consider adapting policies to incorporate any data captured on such calls (especially where recorded) to ensure that they are processed lawfully.
Pre-pandemic, people complained about “presenteeism” and having to be available 24/7 as a result of the efficient use of mobile devices. Post-lockdown, the expectations around availability are once again beginning to rise. Even during lockdown, taking annual leave for many simply meant logging on less frequently.
Consider discussing people’s experiences of lockdown and make sure that people do take the time off/breaks they are scheduled to take and/or need. Working remotely has demonstrated that colleagues and systems can cope, so make sure your workforce is mentally and digitally fit.
It is easy to switch off when outside the work environment. However, it is important to remain vigilant, whether that be to the risk of cyber attacks, impersonation fraud, or exploitation of the fact that teams cannot communicate as easily.
Consider additional training for staff, raising issues and reminding them of the need to follow process and verification of instructions where applicable. If issues are identified, make sure staff are aware of lines of communication, who to contact with emergencies, etc. Ensure that you “war game” incident response and have a core team available to deal with crisis management.
Return to work
When bringing equipment back to the office, is this being logged, the equipment patched or checked and updated where necessary? Have any materials generated during lockdown been returned and/or filed or destroyed as appropriate?
If working from home is to be a continuing feature of working life in your organisation, consider the above issues and how procedures may need to adapt to take them into account going forwards. Consider assessing the remote working experience and incorporating learning into the next phase – what worked well, less well, etc.
Whatever a post-pandemic working life looks like for you, consider updating and reviewing how you manage the issues set out above and what practical steps can be taken to protect your organisation from the fallout of what will undoubtedly have long-lasting effects.
In the digital world, data management and analysis are crucial to growth and successful relationships with customers, so focus on those assets and their security as a first step.
Should you have any questions on the above, or in relation to the Offshore Data Protection Guide, please contact a member of our global Data Protection team or your usual Appleby contact.