There have been recent reports about the Information Commissioners Office (ICO) witnessing a significant increase in the number of breaches of personal data over the past couple of years through incidents involving employees.
The ever-increasing sophistication of cyber-attacks has no doubt contributed to this, and certainly it feels like the cyber-related jargon is forever expanding - we all know the term 'phishing', but did you know there is also such a thing as 'smishing'?
It's also likely that the rise in hybrid working and home working has contributed significantly to the rising data breach statistics.
With employees increasingly working from remote locations and regularly transporting devices between locations, the chance of personal data being misplaced or stolen is inevitably higher. So what key tips can we give employers to help reduce the risk of data breaches when it comes to home and hybrid working?
DPIAs are required under data protection legislation wherever an employer is intending to roll out a new project or initiative which is likely to pose a high risk to the rights and freedoms of data subjects.
The purpose behind the DPIA is to ensure that the key risks have been considered and any mitigating measure have been explored.
In relation to home working, the DPIA should cover things such as:
This guidance, suggests some helpful checks employers can carry out in order to help identify any areas of weakness in a business’ IT set-up. It covers the use of cloud storage, remote applications and emails and includes recommendations such as:
Every organisation is different and will have its own areas where the risk of a harmful data breach is more prevalent. For businesses that hold a significant amount of sometimes sensitive customer data, for example hospitals and financial advice firms, there will be times when employees are tempted to access or steal data that they would not normally. This could be when dealing with public figures or where an employee is in their notice period and wishes to take customer information to use in their next role. Measures can, and should, be put in place to minimise such risks.
Training is always important, as it not only serves a purpose in ensuring a centralised message is being disseminated to all staff, but it also demonstrates to enforcement bodies like the ICO that the business takes data protection compliance seriously and has taken active steps to try and ensure data is protected in all circumstances.
Whilst training may have been carried out in the past, or when home-working first took off during the pandemic, if it has not been conducted in a while then consider rolling-out some refresher training for those to whom home or hybrid working applies.
On the same topic it's obvious point that all employees, regardless of where they work, should receive specific cyber-security training. A good quality, up-to-date training programme is well worth the investment, and giving employees a clear deadline to complete this training will ensure that it's not accidentally overlooked.
Policies are the cornerstone to an employer’s compliance toolkit, so ensuring the business’ rules on home and hybrid-working are included in an existing policy or rolled out in a new policy, is an obvious but important step towards reducing the likelihood of data breaches.
Having the policy is not enough however, keeping it updated as well as regularly reminding employees of its presence and where it can be accessed, is also essential.
It's worth noting that if a data breach happens and there are weaknesses with an organisation’s IT security or training, then the business could be liable, either to the affected individual or following a fine from the ICO. Ashfords can work with you to proactively identify risks in your business and minimise the risk of a data breach.
Even for employers with the most stringent data security measure, it's unfortunately the case that data breaches can and will happen. If the worst does occur, then all and any personal data breaches should be recorded internally by the business. The employer will then need to consider whether to report the breach to the ICO and whether further communication to any individuals affected by the breach should be carried out.
All of this needs to be done within a very short timeframe – the deadline for reporting to the ICO is just 72 hours and this is unaffected by weekends or bank holidays. It's therefore crucial that employees know what the breach reporting procedure is within their organisation, and who their first point of contact should be if they suspect there has been a breach.
If it has been a while since the company’s data protection policy has been circulated internally, consider emailing round a snapshot of the relevant section of the policy as an easy-to-read reminder to employees of 'what to do if the worst should happen'.
Please contact our data protection team for further information and advice. For more insight into the breach notification process, watch our recent webinar below, in which we discuss the key steps involved.
