Kate Wyatt, employment law expert with Lindsays, urges charities to take action now as she says they cannot afford to ignore risks of non-compliance with the regulator unlikely to continue to make allowances because of the coronavirus crisis
Charities face an increased risk of data breaches and heavy fines because of staff working from home long term and must take action to reduce the threat.
The warning comes as charitable organisations face the prospect of the majority of their people continuing to work from home for the foreseeable future as part of Covid-19 protection measures.
Employees must be reminded of their obligation to ensure that confidential data is not disclosed, with training and the proper remote IT access security infrastructure put in place where needed.
Unintended potential risks can come from visitors to their home or those they share properties with simply seeing information on computer screens or from paperwork sitting out.
It’s important that employers show that they have taken all reasonable steps to stop data breaches from happening
Data protection breaches can be met with financial penalties or sanctions from the Information Commissioner’s Office (ICO).
The potential increased threat of data breaches from home working is a real one, which charities cannot afford to ignore. The nature of how we went into lockdown means this may have been overlooked as employees moved out of offices, but with home working a long-term – or permanent – prospect for a great many, employers need to take hold of this issue immediately.
As home working becomes more normalised, I doubt the ICO will look any differently at breaches because of the circumstances in which it started. They will simply ask why employers have not got their house in order.
The ICO undertook in April to adopt a ‘pragmatic and empathetic’ approach to compliance because of the exceptional circumstances. As time goes on, and with home working set to continue, the circumstances are arguably no longer exceptional.
It’s important that employers show that they have taken all reasonable steps to stop data breaches from happening. They must remind employees about the need for IT and physical security.”
GDPR sets a maximum fine of almost £18 million or four per cent of an organisation’s annual global turnover – whichever is greater – for infringements.
Confidentiality is one of a number of key areas in which employers must take action amid increased home working. Others include monitoring performance management and working hours.
The changing work environment will alter the way that many charities have to manage performance. For third sector organisations which do not have KPIs in place, they are going to have to think about how they assess performance with a greater number of staff working from home.
Charities were too busy firefighting a lot of ramifications of home working, while facing numerous additional momentous management challenges, as we went into lockdown, but that does not remove the obligations they have to their staff. They have to consider these issues before problems arise rather than just as they happen.
Kate Wyatt is a partner at Lindsays.