This article is intended to help organisations which are implementing remote working into their business operations by providing an overview of its legal, regulatory and contractual implications.
Legal and Regulatory Considerations
Depending on the type of business you operate, there are certain legal requirements that you must adhere to when processing customer data. Laws such as the GDPR and Data Protection Act 2018 require that personal data is processed is a way that ensures its security. This entails using appropriate technological and organisational measures to avoid unauthorised or unlawful processing and accidental loss, destruction or damage of personal data. Businesses are accountable for demonstrating compliance with these rules. Certain sectors, such as the legal sector, have additional regulatory requirements in terms of data security (see this article for guidance aimed at law firms).
The Government has recently decided to enter the ‘Delay’ phase in its fight against COVID-19 and the latest guidelines of PHE are now encouraging businesses to work from home. As such, the security and privacy of personal data and business sensitive data has become a main priority for businesses. Remote working means all communications take place in a decentralised environment, thus increasing the risks to sensitive data – some examples include employees using unprotected internet connection and business hardware such as laptops getting damaged or lost outside the office. To avoid being victim of security breaches, businesses must ensure they have in place strong privacy and security policies, adequately supported by strong cybersecurity infrastructure and staff training.
To better support businesses during this time, the ICO has issued new guidance on data protection. Businesses are being advised that staff can work from home, however the same security measures apply to remote working as they do to office working. This is a clear indication businesses must implement the necessary changes to ensure that adequate cybersecurity infrastructure is put in place and that remote workers adhere to privacy and security policies.
Organisations should review their cybersecurity infrastructure to ensure their response to attacks is appropriate. Contracts with vendors and service providers should address liability for attacks resulting from remote working practices. In particular, businesses should ensure that such contracts include provision of security measures for the following:
- Handling mobile devices or media that may contain personal or sensitive data;
- Encryption and truncation requirements;
- Transportation or transmission of personal or sensitive data, including over public or wireless networks;
- Risk allocation, including indemnification obligations, for security breaches.
Contracts with vendors and security providers might also contain obligations for businesses to notify third parties of security breaches. Organisations should ensure they are adhering to contractual obligations, whilst also making sure service providers are offering them adequate protection for remote working practices.