Memorandum and articles of association are required documents for all limited UK companies, and contain information about the business from share allocation to day-to-day responsibilities.
In the year 2020 and moving forward, many businesses have taken up the practice of remote working for all of their staff and employees. As a style of working that allows many to work around the current climate of restrictions and regulations, whilst maintaining productivity, it’s easy to see why remote working has become so popular. However, an aspect of remote working that companies may not have considered, are some of the risks; and the importance of encouraging safe online practices for staff in the “remote workplace”, including with topics such as GDPR.
In this blog, we will explore what some of the main risks are of remote working concerning data safety, what kinds of policies a company can instate to encourage the protection of data online, and how UK Postbox might be able to help.
What is GDPR?
The General Data Protection Regulation, commonly known as GDPR, is a set of regulations brought into practice in the year 2016 concerning the protection of data. They serve as a legal framework for any businesses or companies that operate within the EU (European Union), or interact with any European visitors, and set guidelines for the processing of personal data from these people. This means that these regulations apply regardless of where the companies are based, even if they don’t specifically operate in EU markets, and to EU residents. GDPR can come into play for many businesses that are now working remotely, as even more data and personal information is being collected and processed online than would typically be.
Common Remote Working Risks
As just alluded to, the practice of remote working brings with it some significant risks with regards to personal data and information, including the following:
Insecure Networks & Connections
When employees begin working remotely, they will have the basic requirements of needing access to all of their work data and information. However, since many will be used to simply be able to access their work quickly and more locally in the office, there can be a risk associated with accessing sensitive information at home, over potentially insecure networks and connections. And if remote working has created new ways of accessing information over the internet for employees, then the data is naturally at greater risk; due to the processes being new for the employees and harder to manage.
With remote working also comes brand new processes and standard practices for how employees may need to handle and save important company information. While it seems obvious, if an employee doesn’t quite have a handle on these new processes, they may find themselves saving vital information in the wrong areas, leaving themselves open to malicious data breaches.
Your business or company might also be one that is employing a BYOD (Bring Your Own Device) policy as part of your remote working policy. A BYOD policy allows employees and staff to use their own, personal devices (such as laptops) to work from, rather than a company-issued device. Whilst a BYOD policy can have several potential benefits; they also bring with them several potential data risks. Personal devices of staff may be used by multiple people not affiliated with the business, such as family members, meaning that business data might be unknowingly available to many. Some personal devices may also not be equipped with the best software to protect themselves from malicious viruses and hackers, which is a significant data risk in itself.
Your GDPR Remote Working Policy
You might be wondering what you as a business can do to help protect your company’s information from being put at risk whilst a remote working solution is in place, especially with regards to GDPR. Below we have outlined a GDPR remote working policy which you can use to inform some of your data protection decisions for your own business.
The NIST Framework
The NIST Framework is a policy framework of computer security guidance, designed for private sector organisations in the United States. It is there to show businesses how they can assess and improve their ability to prevent, detect, and respond to malicious cyberattacks, and can be applied to EU businesses too. The framework covers these five areas:
- Identify: Businesses need to develop a clear understanding of their situation and assess the current level of risk to all of their systems and information.
- Protect: Businesses need to have several regulations and processes in place that serve to protect important company data from breaches.
- Detect: Businesses need to have systems in place that continuously detect and reveal potential cybersecurity risks- as quickly and efficiently as possible.
- Respond: In the unfortunate event that a data breach happens, businesses need to be well equipped to respond to these data breaches and prevent them from getting worse- with a clear response plan.
- Recover: Once any potential cybersecurity incidents have been dealt with, your company should have clear plans in place to deal with affected areas of the business and help them recover.
While somewhat broad, the NIST Framework clearly highlights the critical areas that your business should cover in any data security plans, especially when many employees will be working from home.
Your business should seek to address any vulnerabilities found in this new way of storing data for remote workers. With remote staff being able to access business data from anywhere, the risk of data being compromised is exacerbated. Data breaches, more often than not, occur from simple things such as human error; an employee mislaying a USB stick or personal device, laptops being misplaced and even stolen- risks that are only heightened during remote work. While it can be difficult to legislate for an employee physically losing data in this way, as a business, you can set up processes to prevent further damage from occurring.
One example is to set strict access rights to this data. This means that, should your company information come into the wrong hands by way of a misplaced device, the person now in possession of the laptop would only have access to a portion of the data.
Another way that data can be protected is during the process of data transfers. Whenever company information is moved from one location to another in remote working, it should be adequately protected. This can be achieved through Pseudonymisation and Encryption.
Pseudonymisation is a process that masks important data; a technique that replaces or removes information in a data set that identifies any individuals. Pseudonymisation of data can reduce the risk of a data breach and help you meet your data protection obligations. Encryption is the process of taking plain text and scrambling it; helping to secure the confidentiality of data that is both stored on computer systems and transferred over networks. These two tools together can help you to protect your businesses data much more securely.
As previously alluded to, one of the most common causes of data breaches, especially when employees are working away from home, is human error. It is true that you cannot as employers legislate for certain instances of human error (such as misplacing sensitive items). You can, however, set up employee training to ensure that all of your staff are up to speed on the latest data safety practices you employ.
Whether it’s in one-on-one sessions or group training seminars, whoever is in charge of data security at your company should take your staff through all of the processes and tools they’ll need to be aware of whilst working remotely. And it doesn’t end there; employees are not robots that will immediately take in and master these processes. Your data security experts should always be available should they need additional help, or if they have any questions on the new security policy.
An additional note to consider when constructing a GDPR remote working policy for your staff to follow is the role and prominence of personal devices. When working remotely, staff will often be given one of two options concerning the devices they work on. The first will be to take home with them a company-issued laptop or computer, with all of the login details, information and security measures preloaded as a standard practice. The second is to allow employees to complete work directly from their own devices instead. Both approaches have distinct advantages and disadvantages when compared to each other, and the one you choose will simply depend on the preference of the business.
With personal devices, you have the added advantages of:
- Cost: Since staff are using their own devices, the business does not need to cover the cost of the laptop or the cost of any repairs.
- Productivity: Many people work much more effectively and efficiently on devices that they are familiar with. Studies have shown that an employee will work an extra 2 hours on average every day when using a personal device for work.
- New Technologies: Working from personal devices can also provide more options in terms of new updates and technologies- without actually having to pay for them.
For more information on the benefits and drawbacks of using a personal device from a businesses perspective, you can read our blog on Bring Your Own Device (BYOD) policies here
With company-issued devices, you have the advantages of:
- Control: With company-issued devices, you can more fully control and guide staff to use the right tools and have access to the correct information, as everything will be with them preinstalled.
- Security: Personal devices run the risk of being less secure, be it because of a shared login providing easy access to sensitive data, or your staff not keeping the computer updated with the latest security measures.
- Uniformity: Having all of your staff work remotely from the same type of device can help bring about a more uniform, consistent level of work as a team. For example, some of your employees may be working from personal devices of a much lower quality compared to others.
How UK Postbox can Help
When it comes to remote working, GDPR, and your business’s physical mail, UK Postbox can offer some assistance with your data protection- with our various mail management services. With our Business Contingency Planning for physical mail, for example, we can help you to protect sensitive data.
If your company’s staff are now working remotely, you may find yourself in a situation where no one is managing your business’s physical mail anymore. This can lead to important documents, reports and contracts being misplaced and not being actioned- and this will be bad news for your company if there is sensitive data in these mail items, such as client, customer and employer information. What’s more, if you are not able to manage your physical mail effectively, then people with malicious intent such as fraudsters may even be able to gain access to your mail.
With our Contingency Planning for Business Mail, UK Postbox can effectively manage your physical mail during times of change, such as in the process of moving from working in the office to working remotely. With our services you can:
- Get a Virtual Address: Sign up for our business address service and receive a virtual address, from a wide variety of physical locations including London and Dorset.
- Redirect Mail: Set up a Royal Mail redirection service to divert your post to your virtual UK Postbox address.
- Manage Business Mail online: You can quickly and efficiently manage all inbound and outbound business mail using all of our platform features; including mail forwarding, content scanning and more.
- App Integration: Our service can be fully integrated with a variety of apps, such as OneDrive Google Drive and Dropbox, for ease of use with your team’s preferred tools.