Are you collecting laptops and devices from furloughed or redundant employees? Are your employees returning to work?
The General Data Protection Regulations (GDPR), the UK’s Data Protection Act 2018 (DPA18) and other international privacy laws, require all organisations to update and monitor their procedures on how personal information must be handled and protected. Therefore, we urge all organisations to perform non-intrusive forensic audits on devices, laptops and phones to confirm that your company data and any personal data remains secure and was not inadvertently been leaked or breached. Consider undertaking fundamental forensic examination or spot checks on company devices; to include an examination of USB usage, Wi-Fi access, download/upload history, browsing histories and security updates.
Be aware of the threat of disgruntled employees who have either been made redundant or furloughed; yet are still in possession of your company devices and confidential information. A large percentage of internal fraud is conducted by employees who were or are, facing some form of discipline or change at work. Have they had access to the network during this pandemic, if so what information could they have accessed, downloaded or possibly leaked to others?
Consider the situations and issues experienced over the last few months and review the following processes to help improve your remote working and data compliance posture:
- Conduct data flow and information audits across the organisation to review, identify and assess the data being held remotely.
- Update security controls and patches.
- Develop staff training & awareness programs.
- Consider gap analysis to help identify control weakness, strengths and areas for development, especially home working environments and update the Risk Register.
- Design and implement appropriate remote working and internal measures to ensure Data Protection is integrated into all processes.
- Design Data Privacy Impact Analysis frameworks linking to pre-existing and remote working processes.
- Review the processing of data, identify and document the lawful basis for the processing activities, including clear and concise consent mechanisms.
- Review and update framework of remote working policies and procedures needed to ensure GDPR/DPA18 audit compliance.
- Monitor compliance and regularly review the effectiveness of processing personal data.