With the pandemic yet to show any signs of abating, many of us are likely to be working from home for quite some time to come. But it’s not without its challenges, and for those working with personal data, whether it is details for supporters, beneficiaries or even staff, one of the most important areas to get right is data protection compliance.
Here are five simple steps to help:
1. Ensure staff are up to speed with data protection policies
Regardless of where people are working from, every organisation should already have data protection policies in place covering data retention, data security and information handling. Your organisation may well also have a policy on Bring Your Own Device too, which will tell anyone working from home how to protect their device, be it phone, tablet or laptop, and any data held on it. Ensure these policies are shared with staff so that everyone is aware of the dos and don’ts.
2. Protect sensitive data with virus protection and encryption
In the office, staff will be working behind firewalls with anti-virus scans running across the system at frequent intervals, but outside of course they are unlikely to have the same level of protection. To mitigate risk, anyone working from home should ensure they are signed up to a good level of virus protection. Files containing ‘sensitive data’, whether commercially sensitive to the organisation, or special category as defined by GDPR, should also be encrypted.
Downloading personal data, and particularly special category data, to a personal device unnecessarily should also be avoided, and if your data protection policies say you must not download personal data, then if it is in fact necessary under the circumstances, you will need to seek written approval from whoever manages your organisation’s data protection.
3. Send personal data securely
With many of us now relying much more on email to communicate with colleagues, it is important to remember that under GDPR rules, personal data must also be protected when sent via this channel.
If possible, all personal data should be transferred via SFTP sites. Alternatively, you could anonymise it or grant access through a shared file. If it must be sent by email, encrypt and password-protect the file, even if it’s a small amount of data. Making it a zip file usually allows you to do both, and you should also employ a strong password generator. You can add this password into the zip file, once you have made a note of it, but it’s best to avoid sending passwords by email if possible and to use another communication method such as text instead.
If you are accessing significant amounts of data, consider using an ethernet cable connection, as WiFi makes it far too easy for personal data to be intercepted on an open network or one with little protection.
4. Erase data securely
Simply hitting the delete button when disposing of personal data is not enough and will leave it sitting somewhere in the memory of the PC. There are a number of ways to ensure data is properly erased listed on the Information Commissioner’s site. Anything printed off also must be disposed of securely by shredding.
5. Get home security right
No matter how secure someone feels at home, computers used for work should be password protected and locked away if possible when not in use, especially easily moveable devices like laptops. Phone security should also be checked, particularly as most people now have email on their smartphones. Ensure the screen locks after 30 seconds of inactivity, and that it requires a passcode and/or a fingerprint to unlock it. Switch on tracking if a phone has this capability, in case of loss or theft.
If you do lose any piece of equipment or something else goes wrong, report it to your data protection and IT departments immediately to help them reduce the impact, and so they can report a data breach if necessary.
While none of these tips are rocket science, it is often the obvious that gets forgotten, particularly at a time like this when everyone’s attention is being pulled in multiple directions. No matter what the situation however, data protection rules still apply.
Suzanne Lewis is founding director of Arc Data and specialises in helping not-for-profit organisations source, manage and understand their data.