Gaining Advantage Together

0330 0947777

IT and data security

GDPR means that if you process personal data, you must have the appropriate organisational and technical measures in place to protect that data from misuse, loss or unauthorised access. This becomes a particularly acute issue when the majority or all of your people are working from home

Apart from GDPR considerations, IT systems and infrastructure are likely to be under additional strain. You need to carry out sufficient testing to ensure they can cope and that there is no risk of interruption to essential functions. Added to that, there is likely to be an increased risk of hacking, so you need to have maximum security protection, particularly if you handle financial transactions.

Here are five things you need to consider:

  1. Do you have a specific policy or procedure in place for protecting data when people are working from home?
  2. Have you ensured that your staff have had a proper opportunity to read the policy and understand it?
  3. Have you checked you have sufficient software licences, and bandwidth, to allow remote working?
  4. Have you thought about your vulnerability to hacking? Financial transactions may need extra care.
  5. Wherever possible, ensure remote workers are not using their own phones, or are prefixing the number with 141 so that the call will go out anonymously.

Frequently Asked Questions


Do I need to tell people if we have had a confirmed case of COVID-19?

Yes, you should tell your employees and any visitors. They may need to know in order to protect their own health.

However, under the data protection law, you must only provide the minimum amount of information about people. According to the law, you must judge for yourself whether it is necessary to reveal the name of the person who has contracted the virus.

This is a difficult area to give guidance about. However, it would be reasonable to tell people who had come into direct contact with someone who contracted COVID-19 the name of that person.

Are GDPR requirements different with people working from home?

No.

The requirements are the same as usual, which means you must ensure that any personal data you hold is secure, wherever people are working.

If you already have good homeworking systems in place you should keep checking your systems are secure and your people are well trained in how to handle personal data.

However, if homeworking has caught you by surprise you may need to be doing more to protect against leakages of personal data. As a minimum you should:

  1. Follow the guidance on the National Cyber Security Centre’s website about setting up a remote access VPN.
  2. Give people basic IT security training, including guidance about not using personal email accounts, not allowing people to overhear telephone calls and keeping screens private.
  3. Give people data protection training if they handle personal data.
  4. Give people cyber security training and make sure they have installed anti-virus software on any computer they use, including personal computers.

You can read the government’s guidance on cyber security for businesses here.