Hybrid working: A reminder of the data protection risks

Tom

Fran

By Tom Llewellyn, Partner and Fran Tremeer is an Association in the Dispute Resolution team at Royds Withy King

Banks and financial services firms across the UK continue to operate hybrid working patterns with staff working from home and the office. There presents much greater data protection risks, says Tom Llewellyn and Fran Tremeer.

The ‘new normal’ hybrid working pattern has increased risks to the security of regulated firms. As well as firms’ general obligations under UK GDPR, the Financial Conduct Authority (FCA) has set out its expectations for firms so that they can meet their regulatory responsibilities.

Firms should be aware of the risks that home working poses and the expectations of both the Information Commissioners Office (ICO) and the FCA so that they can take appropriate steps to ensure compliance.

As a starting point, firms should be alive to the risks:

• Home networks generally have weaker security. Without sufficient protection in the form of complex passwords, multi-factor authentication and use of virtual private networks (VPN), home working can be a security risk.
• Hand-written notes and hard copy documents not being handled or disposed of securely at home.
• Confidential information is more likely to be carried when commuting, creating an increased risk of a breach should documents and/or hardware be left in a public place.
• Less oversight of employees, particularly those working their notice period, and therefore more susceptible to the actions of rogue employees.
• Identifying that a breach has occurred and establishing how it happened.

Furthermore, with the increase in employees working from abroad whilst on holiday, firms should be aware of restrictions on data transfers to third countries.

Data protection and the ICO

The ICO recognises that firms have been required to adapt to the demand for remote working following the pandemic. However, it remains that UK GDPR requires that personal data is processed in a way that ensures ‘appropriate security‘ (relevant to the data – i.e. the more sensitive the more secure it should be) by using ‘appropriate technical or organisational measures,’ including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

The measures necessary for your firm will be specific to your organisation, and the ICO does not mandate what firm’s must do to comply with their data protection obligations. The ICO expects firms to strike a proportionate balance between flexible arrangements and data security, but in reality that means adapting your working practices to provide enhanced security to offset the risks of hybrid working.

FCA expectations

The FCA has been very clear. There are no exemptions for working from home and firms must ensure that work carried out at staff’s homes complies with all rules, regulatory standards and obligations. Therefore, regulated firms must ensure that remote working arrangements do not:

• affect its location or ability to meet and continue to meet the threshold conditionsfor the regulated activities it provides;
• prevent the FCA from receiving information or hinder engagement between the firm and the FCA;
• reduce the accuracy of the Financial Services (FS) Register;
• affect the firm’s ability to oversee its functions;
• detrimentally impact consumers;
• damage the integrity of the market;
• increase the risk of financial crime; or
• reduce competition.

The FCA make it clear that its guidance does not provide an exhaustive list of requirements and firms should seek advice if they require support. It is worth noting that the FCA should be notified of any changes to your operation in accordance with Principle 11, which necessitates openness and co-operation.

The FCA suggests that the above can be achieved through effective planning on the part of a firm, which has been reviewed and tested before being permanently implemented.

There should be appropriate governance and culture which is capable of being maintained remotely. It is therefore recommended that firms keep records of how you have assessed and proposed to manage these issues and why. At the heart of all of this is the treatment of consumers and their access to services but there is also emphasis on the firm’s employees. This means maintaining their well-being, development, diversity and inclusion. In particular, firms should inform staff that the FCA could attend their home for regulatory purposes and support them to deal with this.

Potential consequences

If your firm falls foul of the above, the ramifications could be severe. The obvious outcome is the adverse impact on your client relationships and reputational harm. However, you could also receive claims for loss suffered by a data breach.

The ICO and the FCA may also exercise their respective enforcement powers, meaning management time being exhausted through regulatory investigations, or your firm being fined.

The ICO can issue higher maximum or standard maximum fines. The higher maximum if £17.5m or 4% of a firm’s annual turnover in the preceding financial year, whichever is higher. This can apply to any failure to comply with data protection principles. The standard maximum is £8.7m or 2% of a firm’s annual worldwide turnover in the preceding financial year, whichever is higher. This is applied to other failures, such as administrative failures under UK GDPR.

It is worth noting that the ICO has taken a hard line when it comes to fines in instances where firms have lax data security.