In a year where millions of us made the transition to remote working, we’ve seen a new normal emerging. Many employers and their employees are now seeing the value of remote work and will be remaining remote even after the government’s advice to work from home changes. In short, the future of how we work is changing. One vital thing to consider if your organisation is planning to remain remote is data security. Here’s what you need to know about data security for your remote teams.
Education and Staff Training.
One of the best ways to ensure data security for remote workers is through education. Ensure remote workers know their data security obligations. Make sure employees understand GDPR principles and how to process and destroy data safely. Get a watertight, unambiguous routine in place for remote workers to follow.
Human error is one of the leading causes of workplace data breaches. In the ICO’s 2020-2021 Data Security Incident Trends, we can see that human error and paper-based incidents far outweighed cyber-security incidents. These statistics prove just how important education and staff training is for data protection. Fortunately, there are hundreds of free or low-cost resources online about GDPR compliance and data security. All staff members, not just remote teams, should receive training in these areas.
The key bits of information your remote workers need to know:
- What personal and sensitive data means
- The data protection measures your organisation has in place already
- What procedures to follow to avoid the risk of a data breach (e.g. not throwing business documents in their general waste and recycling bins, not clicking on unexpected attachments in emails etc.)
- What to do if they suspect a data breach has occurred, or how to report a vulnerability that could result in a data breach.
If an employee is aware of data breach risks and preventative methods, a breach is less likely to happen. If, on the other hand, an employee doesn’t know what personal data means and how it should be handled, your organisation could be setting itself up for failure, fines, and reputational damage. Clear communication and education on these matters is the responsibility of your organisation. So, make sure you’re setting your employees up for data security success.
One area to be particularly vigilant on is data sharing. The majority of reported data breaches in the ICO’s report were caused by employees sharing information with an incorrect recipient, and not correctly using BCC when sending mass emails.
Another thing to be especially wary of with remote workers is physical data security. There were 187 data breaches reported to the ICO in 2020-2021 that were caused by the theft of unsecured devices or paperwork. If your remote workers will occasionally be working from a coffee shop, library, or another public place, make sure they know never to leave their documents or devices unattended.
Make sure no business documents or materials end up in domestic bins.
A huge responsibility falls on businesses to ensure GDPR compliance while employing remote workers. This includes the secure disposal of confidential materials.
At any time, you should be able to prove data security measures have been considered for every document or piece of data that passes through your organisation. This includes who has had access to each file and what happens to those files when no longer needed. With remote workers, this process can be slightly more difficult to manage
The first thing your remote workers need to be aware of is that it’s against the law for any business materials to be disposed of in domestic bins as per the Environment Protection Act 1990. This includes business documents generated by remote teams, the self-employed, or anyone else based from a domestic address as part of their employment. Remote employees should dispose of documents in the same way they would if they were in the office.
With this in mind, how will your organisation ensure remote workers are destroying business documents and other materials securely?
Implement a data destruction schedule.
Failure to prepare a thorough data destruction plan for remote workers could be a very expensive risk. Even from home, remote employees may still generate large volumes of physical business documents. Once no longer needed, these documents need to be destroyed securely. Holding onto commercial documents for longer than necessary only increases the risk of a data breach or incorrect disposal. It is better to have a process in place to make sure confidential material is handled safely
We suggest a “Shred Everything” policy for all confidential materials your home workers no longer need. This could be for paper materials, hard drives, USBs or any other form of physical data. This will avoid the risk of human error when deciding what documents or materials to shred. Remember, just one single piece of paper is all it takes for a data breach to occur.
The best way to safeguard the confidential information your home workers process is through secure destruction. We recommend implementing a data destruction schedule so that each month, your remote workers have a scheduled calendar appointment for 15 minutes or so to gather any materials they need securely destroyed. Once materials are gathered, remote employees can report back in to get a shredding service arranged should they need it.
Make sure your remote workers are aware if you share any of their data.
If you’re planning on sharing your remote workers’ personal information with external suppliers, make sure your employee is aware of how you’re using and sharing their data. The suppliers you use should have strict data security measures in place and be accredited to process personal information.
For example, if you’re setting up a shredding service for remote teams, you’ll need to share your employee’s personal information, such as their home address, with the shredding company. You should enquire about the supplier’s data security measures. Do not be afraid to ask questions or for proof of certification. How will they use your home workers’ data? Will they destroy it once no longer required? What are the procedures for their own remote workers if these workers will handle your employees’ personal data?
Any reputable company will be able to provide copies of their accreditation certificates. They will follow a comprehensive data retention schedule, receive regular audits, and will have demonstrable data security procedures.
Book in a shredding collection or arrange a fully-tracked postal shredding service.
Shred Station will happily collect unwanted business materials directly from your remote workers’ residences in a fully compliant and COVID-secure way. We can operate on a one-off or regular schedule to suit your needs. Additionally, Waste Transfer Notes can be sent to a centralised email address such as that of your company’s Data Protection Officer for an easily manageable audit trail. We can even email your remote workers directly when they’re the next stop on our route, ensuring minimal disruption.
For smaller quantities of documents, it could be worth using a fully-tracked postal shredding service such as our sister service, Ship2Shred. With the Ship2Shred service, your remote workers can fill up fully-tracked pre-paid envelopes with business documents and post them back to us once the envelopes are full. Ship2Shred can also provide fully-tracked pre-paid boxes for postal hard drive shredding.
Both of these services will destroy materials in line with strictnBS EN 15713 data destruction standards. You will also receive a Certificate of Destruction after every service.
Sign up for our newsletter to receive alerts about new blog articles, data protection advice, and Shred Station news.