"Hybrid working" has become a familiar phrase during lockdown as employers and employees have had to adapt. It refers to employees working between their home and the conventional office. The prediction is that the "new normal" will see hybrid working, for most of us, as here to stay.

There is no doubt that hybrid working can be of benefit to both employers and employees alike. It can save office space and resources and help employees to get a better work/life balance. However, it also presents its challenges, not least in relation to potential data protection issues.

Personal data is any data which applies to a living individual. Most businesses will process personal data and be responsible as data controllers under data protection legislation. This includes responsibility for the actions/inactions of employees even when the employee is using their own device. Organisations are now obliged to report a data breach in certain circumstances within 72 hours.

Under data protection legislation, organisations must ensure personal data processing, to include processing by employees working remotely, is subject to appropriate technical and security measures to keep personal data safe. Ultimately an organisation could find itself liable for a breach of personal data from a mistake by an employee or even where there has been hack when appropriate measures have not been put in place.

The ultimate risk is a data breach by an employee who is working remotely. In addition to the negative public relations and impact on a business' reputation, it could lead to investigation and enforcement action by the Information Commissioner's Office (ICO) and/or civil action by data subjects whose data rights have been infringed.

Most data breaches are caused by human error rather than an unlawful act. However, implementing practice and procedures to minimise and deal with the risks when they do materialise could go to mitigation when the ICO is deciding on investigation/enforcement, or a Court is deciding the amount of a damages claim.

What will work will depend on the particular circumstances of an organisation, the personal data it processes and its available resources. Some practical tips organisations may wish to include when its employees are hybrid working are:

  1. Conduct a Data Protection Impact Assessment to assess and minimise the risks;
  2. Only use devices supplied by the employer if possible;
  3. Don't mix an employee's personal information with an employer's data;
  4. Have policies in place i.e. employees need to know who to notify if there has been a potential breach to comply with mandatory breach notification requirements;
  5. Use appropriate technology to keep data safe i.e. management technology to restrict access to data, encryption, filters and anti-malware software, patch testing, multi-factor authentication, and regularly updating software;
  6. Ensure all employees who process personal data are aware of their responsibilities and are trained how to deal spot and deal with potential risks i.e. phishing attacks, malware, ransomware and spyware.

The worst thing to do is to ignore a data breach. Dealing with it quickly and openly can minimise the impact and potential negative repercussions to an organisation.

Cleaver Fulton Rankin advise a range of clients from public authorities to SMEs and larger corporations, on data protection issues. We provide practical commercial advice on dealing with data protection issues for new projects, implementing and amending policies and data protection audits, and provide assistance when an organisation becomes the victim of a data breach. Even in the event you have any queries on data protection, please do not hesitate to contact us.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.