Eva - stock.adobe.com

What has a year of home working meant for the DPO?

Byron Shirley of The Compliance Space explores how the role of the data protection officer has changed in the past 12 months

It’s hard to believe that a year has passed since much of the employed world was sent to work from home indefinitely. Home spaces have become workspaces and, for many, remote working is set to continue for the foreseeable future. In recent weeks, we have seen several companies announce that a move to a hybrid way of working, split between the office and home, will be made permanent.

While using digital tools is now normal, for Data protection officers (DPOs) the move to out-of-office working has brought its own range of compliance challenges and security headaches.

For example, how do you keep a handle on how your data is being used – and ensure the safety of that data – when your workforce could potentially be using different networks or devices and a variety of digital tools, from video conferencing to file sharing? And, importantly, how do you keep a workforce engaged in the important role they play in the success of meeting data protection obligations, when you’re not in the same physical work environment?

In IBM’s most recent Cost of a data breach report, 70% of respondents said they believed a remote workforce would increase the cost of a data breach. The main reason for this is that it takes longer to identify and then respond to a security incident if you are not on-site to deal with it.

Similarly, a 2020 survey of 200 IT and cyber security professionals from Malwarebytes revealed that remote workers caused a security breach in 20% of organisations, but at the same time, 18% of those surveyed said cyber security was not a priority, and 5% went further – admitting that their staff were “oblivious” to their company’s security procedures.

As such, there are key lessons to be learned after a year of remote working.

From a practical point of view, the most successful DPOs are those that have worked closely with their IT teams to ensure the right provisions are in place to protect data.  For example:

  • Not allowing “access to everything”: While there is a temptation to let everyone have access to all things, there is a need to balance the requirement to work remotely with appropriate data access and security.
  • Discouraging local storage of data: Using approved online systems and educating employees on the benefits of having central access is still key.
  • Regularly reviewing security standards: It is still imperative to have minimum security standards for remote devices, such as disk encryption, strong passwords and VPN for internet connections and privacy screens.

That said, one of the most important lessons learned is that DPOs have had to find new ways to keep employees engaged with compliance issues when they are working from home. 

As DPOs ourselves, we know that making sure data protection stays front of mind across the whole workforce is tricky, even before Covid-19 hit. Therefore, technology has played, and will continue to play, a hugely positive and important role in both keeping data secure and employees engaged.

So, what can DPOs do to ensure they turn the work-from-home era to their advantage?

  • The key principles do not change: The first thing to remember is that the key principles of good data protection management – such as those listed above – still apply, and it is important that people to continue to apply these to their day-to-day working.
  • Make the permanent move to a digital data storage system: One of the main opportunities that has arisen from the increased use of digital solutions is that it can really reduce the perceived need for paper-based systems. This change in habit – moving from an outdated “hard copy” system to having all data stored on a secure online platform – is crucial to increasing efficiency and security for organisations.
  • Use time more wisely: With people spending less time commuting or travelling, there is potentially more time to dedicate to compliance-based activities. Book regular time in people’s diaries to do a data protection check-up to ensure everything is still compliant.
  • Be more flexible: Digital tools mean DPOs can be more flexible and aware of people’s individual circumstances by arranging virtual training sessions or updates that are easy for people to attend.
  • Find common ground: Having a common digital platform for people to interact on, and with, can really help drive engagement on compliance-based activities.

The most important thing in all of these is to stay visible – even if that is not physically possible, the DPO still needs to be the “go to” person for help and support and regular communication will continue to be crucial.

So, has much changed in the year of working from home?  Undoubtedly yes, and lessons have been learned. However, when it comes to good data protection, the key principles still apply – as we outlined in our recent Data protection made easy guide – whether you are in or out of the office.

Read more on Regulatory compliance and standard requirements