Save content
Have you found this content useful? Use the button above to save it to your profile.
Is working remotely in breach of GDPR? | accountingweb
iStock_pekic_working-from_home

Is working remotely in breach of GDPR?

by

One practitioner’s insistence that their staff should work from the office at all times to ensure GDPR compliance sparked discussion and debate in the AccountingWEB community. But are they correct?

1st Feb 2023
Save content
Have you found this content useful? Use the button above to save it to your profile.

In the sea of alphabet soup that is the UK compliance landscape, GDPR (or the General Data Protection Regulation, to give it its full title) has found itself slightly obscured in a haze of MTD, AML and IR35.

In these post-CJRS (Coronavirus Job Retention Scheme) days, it’s easy to forget how much hype accompanied the regulation’s coming into force on 25 May 2018, particularly with accountants holding sensitive data on their clients or businesses. As an indicator, a guide on what small accounting firms need to do to be GDPR compliant was AccountingWEB’s most-read article in 2018. But the compliance wheel turned, practitioners weren’t hauled up before the Information Commissioner’s Office (ICO) and fined in their droves, and data protection was quietly de-escalated, leaving a host of potential misunderstandings still floating in the ether.

I was reminded about GDPR mania during a conversation at November’s AccountingWEB Expo. A firm owner (who shall remain anonymous) told me that since the last lockdown lifted, they have insisted on staff working in the office at all times for “GDPR reasons”. They justified this by stating that they handle sensitive client documents and wouldn’t want them viewed by others outside the firm.

Having covered GDPR when it first came in, this bothered me. I don’t doubt for a second that their intentions were honourable, but plenty of firms work remotely. Are they all technically in breach of the regulation, even if the ICO hasn’t sent SWAT teams through their patio doors yet? To find out, I asked the AccountingWEB community and a selection of trainers and software firms to see what they made of it.

Fitness for purpose

On the whole, the community reaction was sympathetic to the practitioner’s predicament, but many felt the office-only approach was taking things a little too literally.

“GDPR is suggestive, not prescriptive,” said AccountingWEB member Duggimon. “Our staff are aware of GDPR and the need for security around personal data. We deem that to be compliance with the regulations and I don’t believe there’s anything in there that says otherwise.”

Hugo Fair added that GDPR is “about responsibilities/accountability” and not predefined rules. “In non-legal speak it’s about fitness for purpose and balancing the needs of the individual with those of the organisation holding the data,” Fair added, “which means each organisation should have put together its own set of procedures/standards and is responsible for ensuring that staff follow those procedures.”

There was understanding in some quarters of the accountant’s methods. AccountingWEB member ireallyshouldknowthisbut said that in taking confidential documents home you are potentially widening access to them, while Mr Awol added that WFH is “definitely a risk if you have any kind of paper trail at any point”.

However, the issue of trust came up more than once on the thread. “I think they just didn’t want to say, ‘I don’t trust my staff,’” said ireallyshouldknowthisbut, while Jason Croke added that the story “feels like the boss wants people back in the office where they can be watched (ie lack of trust).”

‘No reason’ why you can’t work from home

“The accountant in question seems to be taking a risk-averse approach,” said Gerrard Fisher, founder and MD at Astrid Data Protection. “As long as you have the right practices and training in place, there’s no reason why you can’t work from home.”

Fisher stated that working remotely does carry increased risks in certain areas, particularly for those living in shared accommodation or logging in from public spaces. However, being in the office doesn’t mean a business isn’t open to breaches. 

“The majority are silly slips: clicking the wrong link, entering the wrong email address or sending confidential details to the wrong person,” said Fisher. “But that’s not exclusive to remote working.”

One of the best ways to minimise the risk of such slips – and ensure a lighter punishment if they happen – is regular training or reminders about best practice. “The ICO is more likely to come down hard on a business that’s had a breach and hasn’t trained their staff.” Heathrow Airport suffered a harsher penalty after an ICO investigation into a breach found that only 2% of its 6,500-strong workforce had received data protection training.

“It’s not the most exciting topic, but it’s important to keep reminding people about the simple stuff,” he added. Some of the easiest gaps to plug include good password practice or a password manager, and locking your screen when you leave your computer.”

Laptops should have encryption activated and key software should have two-factor authentication built in, and businesses that allow employees to use personal devices to access work files should implement controls where they can wipe them if needed.

Fisher also highlighted the importance of good business culture when it comes to reporting incidents. “People think having breaches is a bad thing,” he added, “but reporting slips and trips is how you avoid larger accidents and it’s the same with breaches. If you suppress the culture of reporting then it can go badly wrong.”

‘No point’ in technology if staff or clients try to bypass it

Laurent Guyot, director of secure messaging service Qwil Messenger, told AccountingWEB that in cases like this one, it’s important to discuss the real risks rather than the perceived ones. 

“If an employer doesn’t trust their employees then location is irrelevant,” said Guyot. “Having all staff in the office may give the impression of security, but considering 92% of all attacks begin with a phishing email or that WhatsApp scams increased 2,000% last year, having a lock on the door or security cameras will do little to prevent the biggest causes of data breaches.”

According to Guyot, the availability of security tools such as encrypted email, portals or password-protecting documents hasn’t prevented the escalation of fraud or data breaches – whether in the office or out. This is partly down to the clunkiness of existing tools or processes, creating friction for staff and clients and resulting in alternatives outside the control of a firm such as WhatsApp or iMessage being used instead – often at the request of the client.

“There’s no point in technology if staff or clients try to bypass it!” Guyot continued. “Professional firms need to adapt to the new ways of communicating with clients and offer true alternatives to meet both GDPR and security requirements, and this is not just due to remote working.”

GDPR ‘can’t be perfect’

Giles Mooney, a chartered accountant and partner at The Professional Training Partnership, said the key with GDPR is making sure “you can demonstrate you’ve been reasonable”.

“This means reasonable in your attitude to client data and your steps to protect it,’ added Mooney, “and asking the client what the data should/could be used for and then sticking to that.”

PTP’s training on the subject outlines how to do this and acknowledges that GDPR can’t be perfect, but the firm must consider what their responsibilities are, implement plans and then be able to demonstrate they’ve followed them.

“Working from home isn’t a problem, as long as the overall approach deals with the risks of doing so and everyone is trained to deal with them,” said Mooney.

Replies (19)

Please login or register to join the discussion.

avatar
By Ian McTernan CTA
01st Feb 2023 15:13

Excellent article Tom.

Common sense is needed. If I had any employed staff then if they wanted to work from home, that would be fine. I would provide them with laptop, security etc and ensure they have all the tools necessary to work securely from home. Work email only to be viewed on my equipment. No social media at all. All work related files etc and all sensitive information only through approved channels.

They are welcome to use their own devices for their social lives.

People need to be aware of the security risks in phishing attacks and any form of social media which should be avoided on work machines.

Thanks (2)
Replying to Ian McTernan CTA:
avatar
By carnmores
02nd Feb 2023 15:01

that sounds extremely hopeful good luck with that if ever implemented

Thanks (0)
avatar
By JustAnotherUser
01st Feb 2023 15:58

They justified this by stating that they handle sensitive client documents and wouldn’t want them viewed by others outside the firm.

I bet this person has tinted windows so the window washers don't snoop, he makes the postie wear a blindfold and has every monitor fitted with blinkers and 5 step verification...

Or they are just out of touch and fear change like most of the back to the office gang.

Thanks (2)
avatar
By Justin Bryant
01st Feb 2023 16:23

It just shows the nonsense of GDPR with hybrid working. A rogue employee (or their rogue household) could simply print off reams and reams of client sensitive information at home and just store it all at home (or worse). A bit like US presidents seem inclined to do.
https://www.bbc.co.uk/news/world-us-canada-64488011

Simply having a GDPR staff handbook forbidding such practices is useless for such rogues of course.

Thanks (0)
Replying to Justin Bryant:
By Duggimon
02nd Feb 2023 09:50

If you have a rogue employee in the office it's really not going to be much harder for them to do the exact same thing.

I 100% guarantee if you set me up in any office with the access level of a typical staff member I could get sensitive client data out of there with no problem whatsoever.

The best you can do is take all reasonable measures to try to prevent it from happening, which (almost as if by coincidence) is exactly what the regulations tell you to do.

It's up to businesses whether those measures include stopping staff working from home, but information isn't any more secure from a bad actor in the office than it is at home. The point is to try and avoid accidental data breaches or outside incursion, and you can do that while working from home without much more effort than in the office.

Thanks (3)
Replying to Duggimon:
By Ruddles
02nd Feb 2023 10:53

I thought about saying exactly the same, but would have been accused of sparpling ;¬)

Thanks (2)
Replying to Duggimon:
avatar
By Justin Bryant
02nd Feb 2023 11:14

But that's no excuse for making such rogue action infinitely easier with hybrid working is it (even ignoring the fact the rouge may be someone else in the household)?

Thanks (0)
Replying to Justin Bryant:
By Ruddles
02nd Feb 2023 11:24

Did you miss this bit?

"If you have a rogue employee in the office it's really not going to be much harder for them to do the exact same thing."

Thanks (0)
Replying to Ruddles:
avatar
By Justin Bryant
02nd Feb 2023 11:31

Did you miss this bit?

"But that's no excuse for making such rogue action infinitely easier with hybrid working is it (even ignoring the fact the rouge may be someone else in the household)?"

Or are you seriously suggesting it's not infinitely easier?

Thanks (0)
Replying to Justin Bryant:
By Ruddles
02nd Feb 2023 11:51

Of course I didn't miss it - did you not realise that my comment was a direct response to it?

The previous comment was that it is not much harder for a rogue employee to 'steal' sensitive information from the office. Your response was that this is no excuse for making it infinitely easier to do so from home. You really do have a weird and wonderful way of interpreting things.

But yes, I am suggesting (actually, agreeing with the previous poster) that it is not infinitely easier. No problem at all for a rogue employee to print/download/email etc etc etc sensitive information.

Thanks (0)
Replying to Ruddles:
avatar
By Justin Bryant
02nd Feb 2023 11:54

In that case I suggest you are not suitable for any job advising on anything to do with security etc. (or on anything else for that matter).

Thanks (0)
Replying to Justin Bryant:
By Ruddles
02nd Feb 2023 11:58

That's absolutely fine. I am a tax adviser - I leave others to deal with data protection procedures etc.

Thanks (2)
Replying to Justin Bryant:
avatar
By totalwise
03rd Feb 2023 01:25

Justin Bryant wrote:

It just shows the nonsense of GDPR with hybrid working. A rogue employee (or their rogue household) could simply print off reams and reams of client sensitive information at home and just store it all at home (or worse). A bit like US presidents seem inclined to do.
https://www.bbc.co.uk/news/world-us-canada-64488011

Simply having a GDPR staff handbook forbidding such practices is useless for such rogues of course.

You haven't heard of print 2 pdf it seems - it's a pretty useful feature to turn html invoices on web pages to pdf storable ones!

You can do the same from your employers office, print 2 pdf and save to cloud.

Thanks (1)
avatar
By Hugo Fair
01st Feb 2023 20:44

"Is working remotely in breach of GDPR?"

Showed this article to one of my sons, whose instant response (merely to the headline) was:
"Surely an action either is or isn't wholly in breach of GDPR - so what's so special about 'working'?"

Oh the hazards of modern journalism ... headlines without punctuation!

Thanks (3)
avatar
By sightblinder
02nd Feb 2023 09:58

A good article with some valid viewpoints on both sides. But, did you not do the obvious and ask the ICO for their position?

Their enquiries people are very helpful and respond quickly to questions. As a journalist I'm sure they would have wanted to engage with you on an important subject.

Thanks (1)
avatar
By PChapman
02nd Feb 2023 11:57

I'd say the Boss used GDPR as an excuse to pull people into the office! Lack of trust

If you're using MS Office and Sharepoint say (or dropbox, google office etc...) to store stuff in the cloud you are already working remotely (To where the data is stored)

It comes down to Trust, Training, and Awareness. GDPR requires that you take reasonable steps.
Shirkers will shirk
Workers will work
whether in the office or not

Thanks (2)
Replying to PChapman:
avatar
By Trethi Teg
03rd Feb 2023 08:44

Workers work 90% of the time in the office.

Workers work 75% of the time at home.

No "evidence" of this - before anyone starts using that word - simply 50 years of experience and a bit of common sense.

Thanks (0)
Replying to Trethi Teg:
avatar
By bendybod
03rd Feb 2023 10:03

But is the 75% (assuming that that proves to be correct) more or less efficient than the 90% in the office?
I'm not defending either way. I have staff who work 100% of the time in the office, staff who work 100% of the time from home and staff that work about 70/30 in favour of the office. I can't say that I've noticed a significant difference between the efficiency of any of them. If anything, those in the office get slightly more distracted by what is going on around them, "watercooler chats" etc.

Thanks (1)
Replying to Trethi Teg:
avatar
By Yossarian
03rd Feb 2023 13:38

Trethi Teg wrote:

Workers work 90% of the time in the office.

Workers work 75% of the time at home.

No "evidence" of this - before anyone starts using that word - simply 50 years of experience and a bit of common sense.

Depends on the worker. I used to work from home 2 days per week, then in the office 3 days per week. I often got far more done in the two home days than the three office days as there weren't the continual interruptions, pointless meetings, office gossip etc to contend with.

I now run my own business entirely from home and am probably more productive than I was ever was when employed by others!

Thanks (0)