Homeworking and GDPR recommendations for HR

25 September 2020

During the coronavirus pandemic much of the country moved to working from home, and it was considered, in the main, to be a temporary, emergency measure. As such, all the usual measures such as desk assessments and security were somewhat overlooked in the rush to ensure continued productivity.

As the discussions regarding the benefits of homeworking continue and the option of this becoming a more permanent arrangement is gathering traction, HR data security must be a key consideration.

GDPR – a brief summary

On 25 May 2018, the General Data Protection Regulation (GDPR) was introduced to tighten up the rules regarding the processing of personal data. All employers need to comply with the GDPR irrespective of size, as they will be 'processing' personal data relating to their employees, workers or contractors. Personal data is any data from which the individual can be identified – for example their name, date of birth, bank account details or medical records. Organisations will be 'processing' if they collect, store, disclose, use or erase personal data.

The challenge

Remote working means individuals will be logging in to your organisation’s systems from various locations using personal WiFi and, in some cases, using personal devices. Many are also using technologies that they may not be familiar with and working in locations such as shared houses that may not best lend themselves to good data security.

What steps can you take?

  1.  Review your HR, IT and security policies to make sure they adequately cover remote working. It is a good opportunity to undertake a general review to assess if your policies are fit for purpose more than two years on from the introduction of GDPR.
  2. Provide refresher training to all staff to remind them of the key principles of accessing, processing and disposing of personal data, whilst being mindful of their working environment.
  3. Advise employees of your preferred conference tool – for example, using MS Teams rather than Zoom.
  4. Remind staff that holding work conversations in shared spaces, including the garden, is likely to result in a breach of confidentiality.
  5. Ensure documents are stored in the agreed appropriate place to avoid data breach or losses.
  6. Consider implementing a secure, cloud-based HR IT system; RSM has its own proprietary software aimed at SMEs.
  7. Remind staff of the importance of applying IT updates as and when required so that their remote access is as secure as possible.
  8. Review and implement a secure password protocol.
  9. Advise staff of the increasing prevalence of ‘phishing’ attacks and other common email security breach risks and who to report potential breaches to
  10. If staff are using their own devices for work purposes, remind them of your organisation’s security protocol – this could be a risk and should be avoided where possible.
  11. Where possible, provide suitable data storage and disposal, such as a lockable cabinet and a document shredder.
  12. Provide regular refresher training and reminders to prevent any breach.
  13. Include data security in your homeworking risk assessments.

Through a combination of our HR, legal and technical risk expertise RSM is in a unique position to help you with any queries about GDPR. Our team of data privacy specialists can help you with GDPR data audits, review privacy notices for employees and applicants, review data retention documents, and ensure you have a secure way of storing your people data.

For further information about our GDPR services, please contact Kerri Constable or Laura Cerasale