As we start to see the outlines of what a post-pandemic workplace is going to look like, we’re starting to realise that things that made sense in the before-times, don’t always translate seamlessly into today’s world.
Take protection of personal information legislation around the world. With remote working set to continue – probably in various flavours of hybrid working – companies are bumping up against protection of personal information vs productivity disconnect.
Protection of personal information legislation such as the GDPR tends to think about the storage and transport of data in terms of a centralised office location. Both physically and virtually organisations were easy to define and protect.
Perimeters were clear, with cameras and biometrics protecting physical entrances, exits and behaviour on site. Data protections officers could ensure hard copies of documents were safely stored, only accessed by relevant people, and disposed of securely. Virtually, an organisation's digital footprint was also easier to define and contain. Barring a few known exceptions, employees were on the company network and activity could be monitored and controlled to protect the access, movement and storage of valuable personal identification data.
The remote working data protection disconnect
This has all been turned on its head, rapidly and dramatically, with the shift to working from home at the start of the pandemic. And while we've had 18 months to let the dust settle, harden temporary measures and fill in any gaps in data protection and other security measures, a large disconnect remains.
For instance, it is unviable to expect the same physical security measures in place at people's homes. Can you imagine demanding employees add security cameras and biometric scanners to their home office or work area? This feels like an overreach and a violation of their and their family or housemates’ privacy.
Similarly, even if the company provides a safe or lockable cabinet for employees to store hard copies of personal identification data, there is less oversight and control over whether the employee complies with requirements.
Sure, a fully paperless work environment is a possible solution (although how many of us habitually make quick scribbles on sticky notes – which could include personal identification information?).
And remote work in the digital space is no less challenging for data protection officers to manage. More devices connected remotely to corporate networks and cloud services mean more opportunities for cyber criminals to attack. As our personal and professional lives increasingly merge thanks to taking place in the same physical space, so too do our devices, with personal devices used to quickly check email or messages, professional devices used for entertainment, and devices increasingly shared amongst households.
The reality is that a remote workforce, for all its undisputed benefits, also has very real limitations. Before, the data protection officers could easily check in with how employees are complying with regulations. Likewise, employees could also lean over and confirm that their manager did indeed ask them to click on a link to make an urgent payment. Without physical proximity these disconnects threaten organisations’ abilities to safeguard the personal identification data they need to hold to offer services and run their business.
Data protection vs productivity
Not to mention that we are all expected to work with more flexibility and agility to drive innovation and customer service in our organisations to help spur on the post-pandemic recovery.
I’ve written previously about how we need to improve efficiencies in a digital world. How does this required speed and flexibility – which is possible, powered by digital transformation – square with onerous, impractical data protection compliance requirements that were designed in and for another world?
Don’t get me wrong, the protection of personal information is vitally important, and will become increasingly important as so much of our lives shift online. And also, remote working and the emerging hybrid model of working is both positive and unavoidable. So, genuine question, do we need to reflect on current protection of personal information legislation to make it more appropriate for today’s decentralised business environment?
