GDPR and remote working

GDPR and remote working

GDPR and remote working

Many businesses have been operating during the Coronavirus lockdown by asking their employees to work remotely from home.

It may be that if this has been successful and there is no need for them to be present in their former offices every day, that this way of working will become the new norm.

However, there are implications under the GDPR (General Data Protection Regulations) that require databases containing clients’ and customers’ personal details to be kept secure.

Remote workers are advised to:

  1. Ensure that security software installed at a device level is up to date. This includes not only company databases but also encryption, firewalls and web filtering.
  2. Install the latest anti-virus and anti-malware software.
  3. Keep mobiles and laptops safe, preferably locked away when not in use and never left in a vehicle that is unattended.
  4. Ensure that family members, especially children, do not use work-supplied devices.
  5. Install password protection, if it has not already been done.
  6. Ensure removable devices such as USBs are malware free and kept securely locked away when not in use.
  7. Lock away any personal data in a storage unit when not in use.
  8. Wherever possible avoid downloading sensitive data to a laptop, instead access it only via the company’s intranet when needed.

Are you considering using facial recognition technology in your business?

Are you considering using facial recognition technology in your business?

If the security of your site is an issue you may be considering installing facial recognition technology.

However, there are some issues to be considered before you go ahead.

The technology is relatively new and there have been questions about its use and its accuracy both in the UK and in the USA.

In the UK the Metropolitan Police invited the University of Essex to study the force’s trials of its facial recognition software and researchers concluded that only in 19% of the 42 cases studied could they be sure the force had identified the right person.

Then there are the privacy issues.

The ICO (Information Commissioners Office) announced this month that it would be studying the use of the technology following an outcry over its widespread use at King’s Cross Station in London.

It has already warned businesses that they needed to demonstrate its use was “strictly necessary and proportionate” and had a clear basis in law.

While there are those who argue that facial recognition technology is a useful law enforcement tool for helping keep public spaces safe from criminals and terrorists, others argue that its use is a gross invasion of privacy.

Since the introduction of GDPR (General Data Protection Regulations) businesses and organisations have a duty of care to protect any personal data they collect from users of their services, customers and clients.

In this context it would also apply to employees. It may be useful and more efficient if employees can gain easy access to their offices and IT equipment via facial recognition technology, but you should be very careful about how much information on them you store.

Under GDPR, as face recognition technology (or FRT) collects information of a person’s facial features, its classed under biometric data, which is labelled as “sensitive personal data”.

The regulations do include exemptions which allow the use of FRT in the following circumstances:

  • If the user has given his/her consent willingly
  • If biometric information is required for carrying out employment, social security, or social protection obligations
  • If biometric data is required to protect the vital interests of the individual and he/she is incapable of giving consent
  • If it’s required for legal issues
  • If biometric data is necessary to aid in public interest such as health

So if you are considering using FRT in your business the crucial thing to do is to make sure you have user consent, that it is a positive opt-in to allow it and that there has been no implicit or explicit coercion. You should also make clear what information will be collected and name any third parties with whom it will be shared.

Above all, you must have clear documentation of all this and it should be made clear that people can opt out whenever they wish.


GDPR is looming – is your business ready?

It is reported that many small businesses are still either unaware of or unready for the new data protection regime, GDPR, that comes into force in May this year.

Businesses will have to ensure that any information they keep on their customers is stored securely, and this applies to both online and paper-based records.

They must also be able to remove any personal information if the customer requests it.

If any services are outsourced to another provider, they too must be GDPR compliant, and both will need to appoint a data operations manager to be responsible for security and compliance.

The new regulations will apply to even the smallest businesses if they keep customer records and there is plenty of advice on what they need to do on the ICO (Information Commissioners Office) website.  This is the best source for information as the ICO will be regulating compliance and has the power to issue fines for non-compliance.

Two particularly helpful guides are the 12 steps to take now downloadable PDF and the checklists on the website, one for data controllers and the other for data processors, available here

At Colchester IT, we can assure our customers that we have already put systems in place to ensure everything is secure.

All websites are stored on third party software to ensure security and all data is now held on a separate server, not accessible to outsiders nor wifi enabled. Everything is also password protected.

In any event we only hold on to data for a maximum of 30 days.

We have also taken steps to ensure that any third party suppliers we use are GDPR compliant and of course, we ask for permission before we send customers any e-newsletters and updates.

We also ensure paper-based records are regularly shredded.