Understanding how GDPR fits into the new normal.

Home Office GDPR

The new normal of living in a Covid19 world brings with it some important questions about how you’re going to manage your business’s data security.

If you’ve changed how and where your workers are based, such as home workers or shared work spaces, or have taken on extra measures such as track and trace or monitoring your staffs health, there are data security measures that you must implement to comply with GDPR and protect the processing of personal data.

Data Protection Impact Assessment (DPIA)

Under the GDPR you need to show that any processing of personal information is being being done in line with the GDPR. You’re responsible for being able to demonstrate your compliance and to show that you’ve considered the impact of the data your processing. It’s recommended that you have a Data Protection Impact Assessment (DPIA) to help demonstrate your assessment.

Making changes to your GDPR policy should only be done after a DPIA is carried out.

The DPIA is not just for large organisations, any business that is processing personally identifiable information is required to be registered with the ICO and to have a GDPR policy in place.

What counts as Personally Identifiable Data?

Any information that can identify an individual is Personally Identifiable Data, the most obvious being peoples names, but other types of data could also be used to identify someone;

  • Names
  • Client Reference ID’s
  • Order Numbers
  • Browser Cookies from websites
  • PAYE information
  • CCTV images
  • Bank Details
  • Mobile Phone Numbers
  • Social Media Details

What counts as Processing Data?

Any time anything happens to the data, it’s processing. With digital data this would include when it’s first entered into your system, if it’s accessed, sorted or looked up and when it’s modified or printed.

It includes the collection of data even if it’s not stored, such as taking temperature readings.

I don’t use a computer for work?

The GDPR covers processing of data in any format, this includes data on your mobile phone (such as contact details, call logs, text messages, WhatsApp messages etc)

I don’t even have a mobile phone

It’s not just digital data that is covered, an form of filing system is taken into account, so an address book, Filofax or even the top drawer of your desk would all fall under the GDPR.

Track & Trace

If you’re recording information for Track & Trace, you are required to follow the GDPR when doing so. You should update your GDPR policy to include the processing of this data and carry out a DPIA to make sure you are following the requirements of GDPR.

You should make sure that individuals know why you are collecting this information, who will have access to it and how long you will retain it for. The data collected must not be used for any other purpose.

You will need to identify the lawful basis for collecting this information. If you have a legal requirement to collect the information, or are doing so because your industry is encouraged to do so, it’s likely that you will be able to use ‘Legitimate Interest’ as the bases. Otherwise you may be required to use individual consent.

You should collect the minimum amount of information needed for the purpose. This would probably be a contact name, phone number and the date, time and duration of their stay at your premises.

The ICO list an ‘ABCDE’ approach to contact tracing:

Ask for only what’s needed
You should only ask people for the specific information that has been set out in government guidance. This may include things like their name, contact details and time of arrival for example.You should not ask people to prove their details with identity verification, unless this is a standard practice for your business, eg ID checks for age verification in pubs.
 Be transparent with customers
You should be clear, open and honest with people about what you are doing with their personal information. Tell them why you need it and what you’ll do with it. You could do this by displaying a notice in your premises, including it on your website or even just telling people.If you already collect customer data for bookings, you should make it clear that their personal data may also be used for contact tracing purposes.
 Carefully store the data
You must look after the personal data you collect. That means keeping it secure on a device if you’re collecting the records digitally or, for paper records, keeping the information locked away.See our guidance on simple security measures you can take here.
 Don’t use it for other purposes
You cannot use the personal information that you collect for contact tracing for other purposes, such as direct marketing, profiling or data analytics.
 Erase it in line with government guidance
You should not keep the personal data for longer than the government guidelines specify. It’s important that you dispose of the data securely to reduce the risk of someone else accessing the data. Shred paper documents and permanently delete digital files from your recycle bin or back-up cloud storage, for example.

Track & Trace QR Code

If you’ve printed out a government Track and Trace QR code, you do not need to include that information on your GDPR as you will not be processing the information in any way.

Get a UK Government NHS Track and Trace QR Code here

Monitoring individuals for signs of Covid-19

(Temperature monitoring, symptom monitoring or asking about their health or the health of household members)

If you’re monitoring individuals (or their household) for signs of COVID-19 you will need to take extra care with the way the data is collected and processed. This type of data is classed as Special Category Data and has extra safeguards offered by the GDPR.

You should carry out a DPIA to ensure you have covered all the legal requirements for processing this kind of information.

The ICO GDPR coronavirus hub ‘Testing’

Individuals who are asked about their health or the health of those they live with, or who are asked to take a test or have their temperature taken, have rights under the GDPR. They are entitled to know at the point of collection;

  • What information is being collected.
  • Why it’s being collected.
  • Who will have access to the data.
  • How long the data will be held for.
  • What the legal basis is for collecting the data.
  • who they should contact if they have any problems or issues.

They will also be entitled to request a copy of the data (Called a Subject Access Request, or a SAR)

Furthermore, they will be required to give specific, clear consent for the collection of this information.

Home workers access to company data

With many organisations now looking at moving to full or part time home workers, you need to make sure your GDPR policy covers the movement of data to and from your remote workers, and the data’s security while off site.

The transfer of data to and from your workforce and your office network should be a closed, secure transfer, either digitally over secured communications channels or physically.

If your workers are in the office or in other company owned premises, the security can be centred around the closed network design, but when your workers are remote or working from a home office, that transfer of data needs to be done via public systems (This could be manual, such as moving paper records and files from the company to the workers, or digitally over the public internet)

If the data falls under the scope of the GDPR, then it is a lawful requirement that you protect the transfer of the data.

For files and paper this could be by using a locked briefcase or storage box, a pre-vetted courier or an employed courier. For digital information, this should include encrypted data over secure connections, such as a VPN (Virtual Private Network) Remote Desktops or secured cloud services.

Passwords

You shouldn’t be letting your staff use weak passwords anyway, but we know in a secure office environment it can happen.

With staff accessing your business network remotely, those passwords suddenly become critically important and must be strong, ideally with 2FA (Two Factor Authentication) in place so any logon attempt needs to be verified by a text message or mobile phone app.

You should have sufficient monitoring of access so you can identify malicious logon attempts and any issues of security.

Data transfer and storage for home workers

You should make sure data is secured during transport, whether digitally over the internet, on USB devices or as paper files.

Once the data has been delivered to the remote worker securely, you need to make sure it’s stored in a secure way.

Paper folders and files should be stored in a secure locked cupboard or filing cabinet in the house for example, it’s not a good idea to leave them in a car or in a garage or shed.

Digital data should ideally be encrypted when not being accessed, and only kept in the remote location for as long as is necessary.

Using a home pc or mobile

If your remote workers are going to use personal devices for processing your organisations data, you should ensure that it meets your data security policy standards.

This should include sufficient secure (encrypted) storage, segregation of data from personal data, robust antivirus measures and secure internet connections as a minimum.

If you already have a Bring Your Own Device (BYOD) policy in your GDPR and IT deployment pack, then you should make sure it’s up-to-date, appropriate for it’s new use and that your employees read it and understand it.

Video Conferencing

Using video conferencing is a great way to keep in touch with staff and clients, but you should cover it’s appropriate use in your DPIA.

You should choose a platform or two that offer corporate level security, two factor authentication, logging and recording facilities and end-to-end encryption and deploy them for use.

You should make sure users are kept updated on proper use, and how to spot improper use or potential scams on the platforms, and you should make sure the end users are keeping their platform client apps up to date.

In your policy file you should include items such as screen sharing, file sharing, remote control and instant messenger chat use.

Office Chit Chat

One of the things people might miss while working from home is the office chit-chat. Not the gossiping at the coffee put for 20 minutes, but the background day-to-day chatter that helps the office function.

To help with this, there are a few digital radio stations and channels that will pay constant background chatter, it sounds odd but having that quite noise in the background can actually make it easier to concentrate on what your’re doing.

For the time when you would just pop your head up and ask a colleague something, you might find it useful to have an ongoing meeting room open between all your office staff. That way they don’t have to start a specific call with someone if they just want to ask a quick question.

tinsleyNET IT Servces Consultants #WeCanHelp

#WeCanHelp

We can help you conduct and write your Data Protection Impact Assessment (DPIA) to make sure you’re protecting personally identifiable data in line with GDPR requirements.

We can help you move your business to an agile, modern IT setup, with remote workers, hot desking and secure digital storage.

We can also help you with IT Support for your remote workers, making sure your agile workforce are getting the support they need in this new way of working.

If you need help with setting up remote workers, GDPR Policy files, DPIA’s or any other IT support issues #WeCanHelp

https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/

The Office (after Coronavirus)

WorkFromHomeC19

When the UK government took the decision to impose working restrictions in March 2020, the nature of office work changed dramatically overnight.

Not all the changes had a negative impact, people who could work from home found that they could be just as productive without the commute to the office.

We look at the lessons learnt and how they can be implemented to make the new normal a better place to work.

Working from home

It’s been a revelation just how convenient working from home is, both for the employer and the employee. No travel time meaning more productive hours and less pollution from driving, and, if your job allows it, more flexible working hours giving you more quality time with your family, fewer distractions (in some cases) and no arguments over who used the your milk.

Going forward, it’s easy to see that employees could use this to their advantage, downsizing their office as it only has to accommodate a fraction of the workforce while the remainder work from home or ‘hot desk’ in shifts.

First, lets look at how working from home could be a long term change, and at what a work from home office might need.

Home Workstation & Hardware

Home Office GDPR
Working From Home

It’s more than likely that your work from home employees will need a computer, chances are they already have a computer of some sort at home, but with the ubiquitousness of tablets and smartphones, it may well be that their home computer is somewhat outdated.

There are a number of options available here depending on the person and their position in the company.

The least expensive method would be to use a remote desktop session (even running it from a ‘live CD or USB rather than from their computers operating system) This requires little processing and memory power from the remote end as all the heavy work is done at the server end (typically cloud based or a server at your office)

You could provide a laptop for work use, giving you control over the spec and budget of the machines your staff are using, or you could give them a budget to buy their own devices for work use.

Unless particular processing power is needed on the remote devices, say for graphics work, then using a laptop is absolutely the best option. There’s a choice of touch screen, stylus input, tablet/laptop or standard laptops again depending on your employees needs.

Additional screens can be setup, especially if your staff are used to using them in the office, wide screens and rotatable screens are ideal for managing large spreadsheets or word processing.

Having a decent camera, microphone and speakers are also very useful especially when you’re running video conferencing calls or your remote workers are contacting clients. If the built in offerings are a bit low quality, it’s easy to buy and use external devices.

If the remote workers home space allows it, have a separate screen that can be dedicated to video calls and conferencing, leaving this logged into an office Microsoft Team meeting (or zoom, Skype or any other conferencing app) all day long so all your remote workers can see and speak to each other without having to start up a specific session. This helps give the office/team feeling to working and means that your staff can keep in contact as they would do normally, such as chitchat over a coffee in the office, or asking for help from colleges while their working.

If the remote workspace is not a dedicated area, such as a home office, then having hardware that can be setup and then packs away quickly and tidily is essential. If your remote workers are working on the dining room table, having two 20 inch monitors in place all the time would really get in the way!

Your remote workers might also need access to a printer or scanner. Depending on what quality they need and how often they need it, there are several options. From providing a multi-function printer/scanner at home for every day print jobs, to setting up the office printer to allow remote print access, and using the camera on the users smartphone as a scanner.

Home Broadband

Broadband
Home Broadband

In most cases, a lightning fast broadband connection at the remote end is not required, the amount of data sent to and from a remote worker can be kept quite light or buffered and cached when the broadband is less busy.

If there are other people sharing the broadband, hogging all the bandwidth when your remote user downloads a set of files is soon going to be picked up on, so using technology you can cache these files on the remote workstation over night, or access them via remote desktop software.

Carrying out a survey of your remote workers homes could help identify better broadband deals, and help your remote workers position their workstations and WiFi access points/routers in the best locations for connectivity and speed.

Compliance

It’s essential that your remote workers remain compliant with various legislation while working from home, Health and Safety and GDPR are the two that immediately spring to mind, but there may be others that you need to take into account.

GDPR General Data Protection Regulation
GDPR (DPA2018)

GDPR, the Data Protection Ace 2018, policies you have in place will need assessing and updating to cover the new situation, but this should not be a barrier to moving to this new working environment.

If home PC’s, tablets, smartphones or other devices are being used to process personal information, they should be assessed and managed according to your GDPR policy.

Business information and household information should be strictly segregated, and management put in place to protect the business data.

Assessing the working conditions for your remote users will quickly identify areas that need to be covered under your GDPR policy, this may include things like; screen privacy, data storage, printing and destroying printed material, transporting data between the office and remote office and data encryption.

Meeting Room & Reception

With your office staff working from home, it means the office doesn’t need to be so big. In lots of situations, a meeting room, reception area and one or two offices would suffice.

This means the meeting room can be large enough to accommodate clients and observe the social distancing rules, and and office workers in the building could work from one of the offices meaning they are isolated from other people while they’re in.

Your reception could be fitted with a client-facing monitor, and any ‘walk in’ clients could still speak with any member of staff via video conferencing.

A networked scanner and printer could also be made available to share documents.

Hot desking would need a slight revamp, with maybe just a docking station and screen left behind when a users leaves, and a wipe down of all surfaces before they are used again.

Keeping it all together

Making sure your company data is available to your remote workers in a reliable and secure way is essential. There are a number of options for you to look at.

Firstly there are cloud only solutions, services like Microsoft and Google. They are the big boys but that is a benefit; their platforms are reliable and robust and have a range of options and prices that give you access to different amounts of storage space and different tools.

Then there are hybrid solutions, part cloud based and part office-server based. These setups allow you to make use of all the transport facilities of cloud based connectivity, but with the security and peace of mind of an office-based server.

Then there is the pure office-only solution, letting you manage and configure every aspect of the system with an in-house server.

Each option has it’s pros and cons and are suitable to different types of work, in some situations you might combine different elements of all three setups to offer the right connectivity and security for your remote workers.

Having control over your data is essential. Being able to audit it’s use, monitor for breaches in your security, and remotely destroy data from a compromised device are all tools you should have at your disposal.

Making sure your data is backed up is critical. Also, making sure the data on your backup targets is up-to-date and includes any data that might be sitting on a remote device should be built into your backup plans.

tinsleyNET IT Servces Consultants #WeCanHelp

#WeCanHelp

We can carry out a review of your remote workers home office and advise you of any changes we think are needed to make it a long term working arrangement. We can check internet connection, WiFi location, device security, working environment and identify areas needed to be included in your GDPR policy

We can also sort out your office based needs, with terminals, servers, internet connections, security and everything else you need to allow your remote workers to be as efficient as possible.

Contact us today to prepare your workplace for the new normal.

ICO fines Facebook £500,000 for breaches of data protection law

ICO

The ICO have issued a fine of £500,000 to Facebook in light of serious breaches of data protection law. This was the maximum fine that could be issued under the Data Protection Act that was in place at the time of the breaches, under GDPR the fines could have been considerably higher.

Facebook have been found to have processed the personal information of users unfairly, notably allowing developers access to personal information without sufficiently clear and informed consent. Access was even granted to users information who had not downloaded the app, but were friends of users who had.

Additionally, Facebook failed to make suitable checks on the apps and developers using their system. One developer was able to harvest the personal information of up to 87 million users worldwide, without their knowledge.

After the Cambridge Analytica story broke and the breach of data protection was identified, Facebook failed to manage the breached data, waiting almost 3 years before suspending some developers access to the system.

Links

Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.

Elizabeth Denham
Information Commissioner
GDPR General Data Protection Regulation

General Data Protection Regulations

Data Protection Act 2018

The GDPR UK implementation and the UK Data Protection Act 2018 govern how organisations can process personally identifying information.

If your organisation needs to process personal information, it needs to be registered on the ICO database, and have a Data Protection Policy in place detailing the use of personal information.

Personal Information is any information that can identify an individual, such as employee names, customer id’s or CCTV footage.

If you need help assessing your GDPR compliance, contact us immediately for a GDPR review.

GDPR General Data Protection Regulation Logo

Make sure you’ve had the right GDPR advice

GDPR General Data Protection Regulation

The GDPR regulations have been in force for one month now and it’s great to see so many organisations large and small taking on board the message that individuals personal information is a privilege to process and not a right. But for every exceptional measure we’re also seen some poorly put together privacy policies that fail to pass GDPR standards, either using inappropriate lawful bases, not declaring the use of their party processors, not notifying individuals of personal information obtained not directly from them, or just outright misuse of personal information. Read more

GDPR

GDPR General Data Protection Regulation
GDPR General Data Protection Regulation

General Data Protection Regulation

Regulation EU 2016/679, known as the GDPR or The Data Protection Act 2018 in the UK relates to the use of individuals personally identifiable information.

What is Personally Identifiable Information?

Any information that can be used to identify an individual directly or indirectly is personally identifiable information and so covered under the GDPR.

Common types of Personally Identifiable Information are;

  • Names
  • Email Address (personal ones and business ones if they identify the individual such as joe.blogs@company.com)
  • Address
  • Unique Reference Numbers
  • Registration Plates
  • Photos
  • Phone Numbers

Some types of Personally Identifiable Information have a special category status, these include things like;

  • Health Information
  • Bio-metric Information
  • Sexual information
  • Religious Information

If you handle any of the special category information, you need to provide additional levels of security and have explicit consent from the data subject to process it.

Do I handle Personally Identifiable Information?

If you have any of the following, it’s likely that you are handling Personally Identifiable Information;

GDPR General Data Protection Regulation Logo
  • Employee Information
  • Customer Information
  • Prospects Information
  • Suppliers Information

What do I have to do to be compliant?

You need to make sure you are registered with the ICO as being compliant to handle Personally Identifiable Information.

You need to make sure you know how your organisation is processing information under the GDPR, where is it coming from, how is it being used, who has access to it, where does it go, how long do you hold it for?

You need a Privacy Policy to document how your are managing the security of the information you have, in this you need to identify the lawful basis for processing the information, and keep records of how you have come to the lawful basis, how you have processed information, and how you have ensured the security of the information.

You need a Privacy Notice to notify the individuals who’s information you have, about how you have obtained that information, how you’re going to use it, your lawful basis for using it, how you’re going to protect it and how they can submit requests to update or prevent processing on it.

You also need a means of monitoring your information store, either paper based or digital, that can identify when a breach happens. A breach could be as simple as accidentally deleting information or it could be as serious as someone unauthorised getting access to the information.

Responding to individual requests

Individuals have various rights to their data depending on your lawful basis for processing. You are required to respond to these requests in 30 days, and without any fee. You must provide any information in an easy to access format, and explain any technical terms used.

Responding to individual requests is something you should have a documented process for, this will save you time and trouble if and when you receive any requests, and will help keep you compliant with the GDPR.

tinsleyNET IT Servces Consultants #WeCanHelp

#WeCanHelp

There’s a lot of work that needs to be done getting your organisation GDPR compliant, we can take the burden off you and create the policies, documentation and processes you need to make sure your organisation is compliant.

We can continue to support you by processing your incoming user requests and monitoring your processes to make sure your organisation remains GDPR compliant.


General Data Protection Regulations

Data Protection Act 2018

The GDPR UK implementation and the UK Data Protection Act 2018 govern how organisations can process personally identifying information.

If your organisation needs to process personal information, it needs to be registered on the ICO database, and have a Data Protection Policy in place detailing the use of personal information.

Personal Information is any information that can identify an individual, such as employee names, customer id’s or CCTV footage.

If you need help assessing your GDPR compliance, contact us immediately for a GDPR review.

GDPR General Data Protection Regulation Logo