Governing Data Protection in the era of “Connected Working”
The term “extended enterprise” is usually used to describe a network of interconnected businesses that pool resources and capabilities to deliver greater value to their customers. However, in the evolving organisational revolution underway in response to the public health risks of pandemics, I’d suggest that it also describes the reality of the future of work, specifically remote work. One of the key data transformation drivers over the past year in organisations of all sizes has been the forced need to embrace remote work (aka telework or e-work) as a default rather than a perk. This isn’t going away, and connected working while remote, in all its forms, is here to stay.
Of course, in the extended enterprise “remote work”, and the traditional synonyms of ‘teleworking’ or ‘e-working’, is possibly the wrong term. After all, where are people remote from if there is no “central office” that they would normally be in? For that reason, I prefer the term “connected working” rather than “remote work”. My reason is simple: the emotional resonance of “connected” is different to that of “remote”. One highlights the need for people to get access to our resources, the other risks placing the ‘remote worker’ out of sight and out of mind. For the same reason, I’ve long preferred the acronym GATOR (give access to our resources) over the traditional BYOD (bring your own device).
In the context of this world of connected working, the role of good data management strategy and implementation is essential for organisations of all sizes. This encompasses strategies for data protection, governance, document and content management, data quality, information security, and a host of other considerations. The specific needs will be different for different organisations. But all organisations need to actively consider the implications of remote work or the connected enterprise.
The modes of connected work
As part of this, senior managers will need to identify and plan for the different ‘flavours’ of connected work. In the past ‘working from home’ often meant slogging away at the kitchen table of an evening to catch up on deadlines. The term ‘working remotely’ might have conjured the image of a travelling rep working in a lay-by, motorway services, airport lounge. or hotel lobby. Now the world of remote work encompasses a multitude of models. And each of these models brings with it different data management, governance, and protection risks.
Work from Home (WFHome)
The Irish Government define “home working” as
The conventional model whereby employees work from their homes. This can include people who work solely from home and those who work from home some or most of the time.
When staff engage in connected working from home, a number of considerations arise in respect of data management and data protection. One of the practical issues is that of knowing how to get access to the timely, accurate, and relevant data and information that the team member needs to actually do their job. This is a document and content management challenge. This challenge can raise information security headaches. It also brings some practical data protection challenges for the organisation.
The difficulty is that much of the official guidance at this point focuses on the data protection implications for information processed by the organisation and there is very little guidance on the data protection implications of employee monitoring in a context where the barrier between the workspace and personal space is, of necessity, blurred.
Examples of issues that might arise:
- Security of access over a home wifi connection
- Sharing of home networks with other people who might be WFHome
- Access to devices or paper work by third parties (including issues arising from shared scanners/printers)
- Implications of remote monitoring technologies
- Issues of recording calls or meetings when the private space of the employee (and indeed potentially other people)
- Records management and paperwork – how to store, secure, and distribute the physical paper that still sticks to businesses such as receipts, correspondence etc
- Ability to access office systems securely
- Connectivity speed/stability
- Connectivity security (e.g. does the broadband provider block use of VPNs?)
Work from Hub (WFHub)
Working from Hub is another mode of ‘Connected Working’ where team members work from a shared office space or ‘hub’. This is not dissimilar to the concept of telecottaging. The Irish Dept of Business Enterprise and Innovation defines it as:
… an arrangement where an employee works from a hub close to or within their local community, either exclusively or some of the time. This includes co-working, which involves attendance at a co-working space where collaboration and networking outside of one’s team or organisation is encouraged
While some of the around document and content management and other data management issues are common to the WFHome model, the data protection and information security landscape is different. The issues of shared infrastructure (e.g. using a semi-public wifi network), the security of devices or paperwork in open plan shared offices, and the privacy of voice or video calls in a shared space are all additional considerations. A co-working cube might look exactly like the cubicle or desk you might have in a traditional office, but the environment is different. Also, the model of collaboration and networking with people outside your organisation introduces new twists on the issues and risks that can arise in the WFOffice context.
Issues that might arise in a WFHub context, in addition to those that arise in a WFHome context include:
- Use of shared printers and scanners in a semi-public location
- Potential commercial sensitivity of conversations /video calls
- Security of devices/equipment left in the WFHub environment
- Availability of ‘own door’ office space within the WFHub environment
- Security of shared wifi and other communications systems.
Work from Road (WFRoad)
I confess. I wrote some of this blog post sitting in the car park of my kid’s school waiting for the school run traffic to clear. On an iPhone. That is the WFRoad experience. It is also the experience of sitting in a motorway services coffee shop using a public wifi network to check email and work on documents while having an overpriced lukewarm coffee. Anyone who has ever used the wifi on a plane, train, or bus to do work has been doing WFRoad. Over twenty years ago, when I connected my laptop to my Nokia 6310i via bluetooth and used the GPRS signal and the data package on my mobile account while working as I commuted to the Dublin office by bus, I was WFRoad.
This mode of Connected Working doesn’t explicitly feature in the Irish Government’s Remote Work in Ireland policy document. However, it is still a valid mode of Connected Work as it is a scenario where team members would be getting access to organisation resources in an environment that is not under the control of the organisation. While many of the issues of WFHome and WFHub don’t apply in this context, and while some of the key risks around security are probably more obvious because of the openness of the people, devices, and records, organisations still need to have clear governance defined for what kind of work can be done in a WFRoad context. After all, people leave things on trains all the time.
Work from Office (WFOffice)
This is the traditional model of office working that owes much to the centralization of labour around capital that was the innovation of the industrial revolution. People historically went to the office because that was where the physical means of production were located: the machinery, the paper, the filing cabinets, the computers.
This model still has value in the context of collaborative work or work functions that cannot be done in a less controlled or controllable environment. However, in the ‘Connected Work’ environment a traditional office has become more like a class of WFHub which is controlled by and managed by the organisation for the use of their staff or approved guests.
The need for Information-Centric Strategy
Given the variety of models of Connected Working, the key questions that need to be addressed are:
- what information, data, documents,processes, or systems do workers need to be connecting to?
- how will they be connecting?
- why are they connecting?
- when will they be connecting?
Whether it is a people connection or an information or process connection, these are among the key questions the organisation should be asking. Once you have identified the what, how, when, and why of the connection, it is then necessary to ensure that there is appropriate planning and governance in place to make sure that that connection to work can happen in a reliable, secure, and sustainable manner.
Certain information may not be appropriate to access in a WFRoad context due to commercial security or data protection concerns. Team members who are engaging in a WFHub connected work arrangement may need to have something other than a hot-desk in a co-working space. We cannot forget thatWFHome or WFHub is not a ‘one-size fits all’ proposition. Issues of the suitability of the working environment inevitably arise. For example, what if two people who are co-habiting work for rival companies? Or what if staff of competitor companies are sharing the local connected working hub?. Organisations must consider the nature of the information being processed or being accessed by the team member who is working from home or working from a hub.
Knowing the ROPAs
The Register of Processing Activities that organisations are required to complete under Article 30 of GDPR is an invaluable tool. It helps you map and understand your Connected Working landscape. Many organisations have compiled ROPAs that are of varying degrees of quality, accuracy, and ‘freshness’. However, the assessment of where work is happening may only have been considered by the teams putting these original ROPAs together in the context of cross-border transfers.
A Connected Worker who is working from a Hub works somewhere outside the traditional boundaries of the organisation. Management need to identify and define categories of physical location. Our “WFHome, WFHub” classification is a starting point. Depending on the processing activities that that staff member was engaged in, safeguards may be required in different locations. The categories of personal data they are working with may also lead to additional safeguards and controls being considered.
Any organisation that is embracing connected working that hasn’t yet updated its ROPA may have a blindspot in terms of information risk and the effectiveness of their organisational and technical controls over data.
We designed our ROPA methodology and templates to be an ontology of data in the business. Our approach ensures you are capturing the Who, What, When, Why, and importantly WHERE data is being processed. This approach also means the ROPA developed for personal data can be extended to include other categories of data and processing activities. This gives a benchmark map for making objective strategic decisions.
Data Protection Impact Assessments as a WF(x) Governance Tool
In the world of WF(x), where government policy in Ireland, and elsewhere, seems to be moving towards a legal right to Connected Working, it will be more important than ever for organisations to ensure that DPIAs are carried out on the specifics of each remote working setup. This identifies the safeguards and controls that will be required to facilitate the worker. It also identifies the organisational and technical controls needed to ensure compliance with data protection laws. Commercial confidentiality and security considerations may also need to feature.
Health and Safety assessments are required for remote working on a long term basis. The DPIA, from an organisation perspective, is the data management equivalent. It should form part of the decision making around who can and cannot work in a connected way. Restrictions on the types of work that can be done remotely might be needed. The types of data that can be accessed could be restricted. Connected work might only be approved from certain types of location for certain processing activities. This should be assessed based on the specific instance of connected working.
Formal decision making criteria will be required, and objective documentation of the risks and mitigating actions will be needed for employers to stand over decisions to allow or restrict connected working. As with the Register of Processing Activities, a risk management tool from Data Protection can be repurposed and extended to serve new governance purposes.
Striking a Balance and Holding the Gains
Organisations have made significant leaps forward in the acceptance of and operation of connected working this year. We have sprinted into this world of remote working of necessity, but now find ourselves facing a need to run a marathon at the same pace. To hold our gains in the adoption of connected working organisations need to develop more mature practices. They need to embrace the need to improve data management capabilities to support flexibility without sacrificing security and risk management.
Not all roles are suited to connected working on an ongoing basis. The types of data or the types of processing activity that is being performed are often key factors in these decisions. But remote working has evolved overnight from a perk to a core part of how organisations need to do business. This arises both from a pandemic control perspective and from a business benefit perspective – a connected workforce lets you expand your pool of talent and also expand your market for product or service delivery. To hold our gains, appropriate governance controls and frameworks will need to be implemented in organisations to support connected working in all its flavours.
Staff will also need to be educated on fundamentals of data protection and other data management skills so they can be better empowered to make independent decisions and mitigate risks themselves.
While the perfect is the enemy of the good, appropriate structures can help the good become better.
How Castlebridge can help
Castlebridge has combined fifty-plus years of experience developing policies and procedures for Connected Working. Many of our team have worked remotely for many years. Indeed, I’ve worked remotely in various roles since 1997. I helped define the policies and procedures for connected working in a leading telecoms company nearly twenty years ago.
Technology may have evolved in leaps and bounds since then. But the fundamentals remain largely the same. They continue to centre on the Who, What, When, Where, and Why questions around data in the organisation. The fundamentals of good data management can lay a strong foundation for your Connected Work strategy. That strategy in turn enables productive remote work. Getting the answers to these questions is key. This applies to data being processed in the organisation. But it also applies to how data should be used to help and support workers.
Ensuring the right tools and data are used to keep them connected and manage their workloads is key.
Consulting and Advisory
- Castlebridge can provide a quick consultation on the data management and data protection aspects of a Connected Working strategy, helping you to identify the areas of your business that will either help or hinder the sustainability of the change
- We can assess levels of data literacy and data management maturity in your organisation. This can inform your approach to skills development plans for effective Connected Working.
- Our team can help you define and implement pragmatic and effective strategies and processes for data in a Connected Working context.
We deliver all of our consulting and advisory engagements remotely by default. If you don’t have budget for a long term commitment or are unsure what you need, you can book a 1 hour Clinic, or you can dive right in and BECOME A CLIENT.
- We can provide training for teams on how to develop a Register of Processing Activities.
- We can provide training for teams on Data Protection Impact Assessments. Our methodology is a simple, structured, ‘drill’ approach. Staff at all levels can learn this.
- We can provide value for money training by elearning for staff on a range of data management topics. Courses include including data protection essentials, data governance, how to do DPIAs, and how to develop and maintain ROPAs.
We teach classes remotely by default. We use a blended learning model where possible. This means learners have the benefit of a live instructor to help them develop their skills and insights. Fully pre-packaged training is also available. We can tailor courses to your organisation and budget. Get in touch to find out more.
Castlebridge made a submission to the Government of Ireland’s consultation on Remote Working. A copy can be downloaded from here.