If you had not been aware of the enforcement of the General Data Protection Regulation on the 25th May 2018 until very recently, you cannot fail to have escaped the recent publicity surrounding it - even if that’s mainly been via endless waves of email from companies who hadn’t opted you in to their mailing list properly in the first place.
Hopefully we will all have less noisy inboxes very soon, because one of the grounding principles of GDPR is to put privacy front and centre and give the data subject control and ownership of their personal information. It is the single biggest change to privacy law in Europe for 20 years, and it is causing a well-needed shockwave of reaction, across the EU and worldwide - not least because of the high profile of so many recent data breaches and abuses.
We have written before about information security concerns for remote teams, and if you are revising your policies and procedures in the light of the new legislation, then this is a very good time to check that you have the right systems in place - both to prevent your remote colleagues losing or misplacing personally identifying information in the first place, and for mitigating damage once it happens.
All the responsibility lies with the data controller - legally that is the business entity itself, effectively you if you are a small business owner. Organisations processing ‘large’ (that’s as yet undefined!) amounts of data should appoint a nominated Data Protection Officer - but it’s important that anybody processing personally data (defined here) for any reason, understands the changes which are taking place.
Third party tools
A great deal of the work we do in remote teams these days is delivered through our individual blends of software-as-a-service, and it is important to ensure that you audit everything you use, if you haven’t done so already - identify clearly which third party tools you are using to process personal data, and make sure that they have done the work to ensure GDPR compliance too.
The good news is, that most of them have - the kind of SaaS tools we recommend for communication and collaboration in our podcasts and blogs have had years to prepare for this, and used the time well, wherever they are located (because if they potentially process the personal data of a single EU national, then the GDPR applies to them too). And this might be a good moment for a general purge of unused or superceded tools; simply to tighten up usage policies in respect of anything you have moved away from for any reason.
But if you make responsible information management part of your organisation’s culture, this is your best insurance against any kind of breach. The time feels long overdue for a new respect for the value of our individual personal information, a backlash against the way we’ve been encouraged to give it away as consumers to our retailers and social networks. As team leaders, we can model the kind of respect we’d like our teams to show, for the trust our customers and audiences show to us. We can also ensure a culture of openness, where any suspected risks or breaches are escalated promptly and effectively, wherever our team members are located.
Responsibilities and rights
One aspect of the GDPR that information security teams are going to have to think carefully about in respect of a distributed workforce, considering the way our personal and professional lives are now so blended, is that your team have enhanced privacy rights now as individuals. If they are using their own devices to access and process personally identifying information on behalf of their employer, the challenge is to monitor this effectively without violating their own privacy, and to be able to secure such mixed-use devices in the event of loss or theft. This is not an issue for IT or HR to consider in isolation, because it requires open discussion and agreement, and a certain amount of give and take.
It might also be time to review basic IT training, alongside your data protection training. It’s great to know what counts as sensitive data or how to define pseudonymisation, but if you don’t also appreciate why you can’t forward stuff to your personal webmail account to work on later or you’ve just never really got on with that VPN they once installed on your laptop, then there’s going to be trouble sooner or later.
Does everyone know how to permanently and securely delete a file? Understand WHY they can’t store stuff on an unencrypted USB drive, and what the alternatives are?
Privacy by design is about what actually happens in your organisation, not what the policy document says - and with a remote workforce, that’s undoubtedly harder to oversee and ensure compliance. And bear in mind, as Lisette Sutherland said in her new book “Work Together Anywhere”, those who work away from the office occasionally rather than regularly may have a different set of assumptions and challenges to address. Our Director Pilar Orti was left averting her eyes just the other day on a commuter train, from what was obviously a very confidential email, being read in a crowded carriage by someone she was being obliged to hover over… As our tools and devices make us all more 'office optional' by the day, people need to be trained to be aware of the need for privacy, at all times, and wherever they are.
But the good news is that colleagues who are used to the freedom and responsibility of managing their own time and work, enjoying that high degree of both autonomy and accountability, should have no difficulty with the extra demands of effective GDPR compliance. They’re more used to handling their IT set-up, being in different locations, and coping with the unexpected. They just need to understand clearly the thinking and the values behind each aspect of the policies and procedures given, why to use the software stack agreed and provided where necessary, and have a chance to question, discuss, stress-test, whistleblow or feed back as appropriate, ensuring the training and toolset are fit for purpose - wherever they do their work.
This approach should help work towards a robust and practical compliance culture, which will stand the many updates that GDPR will doubtless bring, as regulation gets tested in the courts of every member state and precedents are created. We encourage you to keep an eye on updates from the Information Commissioner’s Office, and remind you that Virtual Not Distant cannot offer legal advice or specific consultancy around data protection and privacy issues.
(And if you’re wondering why you haven’t had to opt-in to the Virtual Not Distant newsletter all over again, it’s simply because we collected your explicit consent in the first place. We don’t use your contact information for any other purpose, than the one you initially gave us. We have of course updated our privacy notice, to contain expanded information about exactly how we process your data and secure it, and how the tools we use are compliant with the new legislation.)