7 privacy management tips in the age of hybrid work

As a privacy professional, your role is critical in ensuring that your organisation achieves privacy compliance without compromising productivity. The increasing prevalence of hybrid work has created new challenges in achieving this balance. 

The facts of the matter

According to Eurostat, the number of people working from home at least occasionally in the EU more than doubled from 5.5% in 2019 to 12.3% in 2020 arguably due to the pandemic. It might not seem like much, but even the most conservative estimates place the proportion of companies that are currently accepting hybrid work at well above 50%. So, chances are, you are working for a hybrid-friendly company right now.

The rise of hybrid work has coincided with an increase in data breaches, which can be extremely costly for organisations: the average cost of a data breach is $4.54 million, according to the IBM Security Cost of a Data Breach 2022 report. 

☝️ Most importantly, the IBM report showed that $1 million is the average difference in cost where remote work was a factor in causing the breach versus when it wasn’t a factor. 

While hybrid work offers many benefits, its proliferation has contributed to the increased occurrence of data breaches, as employees are more vulnerable to phishing attacks and other types of cyber threats when working outside of the traditional office environment. 

Top privacy challenges in hybrid work environments

Let’s focus on three of the most prevalent challenges faced by data privacy professionals such as yourself in the age of hybrid work: 

Cybersecurity risks
Remote work increases the risk of cybersecurity breaches. Check Point Research reported that global cyberattacks increased by 38% in 2022, compared to 2021, and there is a strong correlation with the concomitant advent of hybrid work.

Privacy concerns with remote communications
Video conferencing is an essential tool for remote work, but it also presents privacy concerns. Play your part in ensuring that video conferencing and other comms tools and practices comply with regulations and that employees understand the risks.

Use of personal devices for work (BYOD)
Telecommuters may use personal devices or unsecured networks, making them vulnerable to cyber threats. Additionally, they may unintentionally expose sensitive data by working in public spaces or leaving devices unlocked. 

Check this out: 🔗 Navigating the roadblocks to a successful privacy management program

NOW, let’s get into the nitty-gritty and explore how you can go about implementing a successful privacy management program WHILE not discouraging productivity in a hybrid work environment. Here are some pointers that you might want to consider:

1. Nurture a data protection culture

Privacy is a team game! It is crucial to ensure that data protection is always considered in all business decisions. You can achieve this by instilling a privacy-first mentality and considering a few practical approaches:

• Secure sufficient resources for data protection efforts by working closely and transparently with your exec team.
• Communicate regularly with colleagues and stakeholders about data protection efforts and progress, including an annual data protection report. 
• Coordinate your efforts with the Legal, IT, and Information Security (InfoSec) teams to ensure that data protection is integrated into all systems and procedures.
• Explore solutions, including tech solutions, to reduce friction, enhance collaboration and efficiency among team members, and across different departments.

Regular check-ins with colleagues can also help maintain data privacy in a hybrid work environment. These check-ins can help identify potential issues and challenges that people may be facing while working remotely, and address them proactively.

2. Regular training: your most effective tool

Human error is the most significant security threat that organisations face, and yet it often receives little attention. According to Verizon's 2022 Data Breaches Investigations Report, 82% of data breaches involve a human element. This could mean employees inadvertently exposing information, misconfiguring databases, or making mistakes that allow cybercriminals to access organisational systems. 

All in all, do your very best to help inform your colleagues on data protection best practices and ensure that all of them are aware of their responsibilities when it comes to handling personal data. 

3. Promote secure communication practices

Using secure communication tools such as virtual private networks (VPNs) and encrypted messaging apps is crucial to protect sensitive data. Moreover, video conferencing has become an essential tool for hybrid work, presenting new privacy concerns. For example, Zoom came under fire for its flawed end-to-end encryption claims and for sharing user data with third parties. 

While Zoom has taken steps to address privacy concerns, it remains paramount for users to be vigilant about protecting personal information when using this app, and any app for that matter. 

4. Collaborate closely with InfoSec

You can best tackle the challenges of a hybrid work environment by combining your expertise in privacy management with InfoSec practices. By taking a holistic approach to data protection, you can ensure that sensitive data remains secure while also facilitating legitimate business purposes — with productivity being an important pillar, especially in a hybrid work environment.

If you want to explore the topic in depth, we have created an extensive article on the matter: 

🔗 Privacy Management & Information Security - Two Sides of the Data Protection Coin.

No time for another article right now? Let me take you through the gist of it:

• While privacy management is activity-focused and people-centric, information security is asset-centric and focuses on risks, controls, policies, and procedures to establish and maintain security.
• Collaboration between the two departments can increase operational efficiency, avoid redundant work, and massively reduce cybersecurity threats.
• Connecting the ROPA with the data-asset register can help both teams understand potential security risks and prioritise resource allocation.
• Implementing a centralised risk and compliance information repository can save time and work, identify potential gaps, and allow for reuse of commonly available information.

5. Stay on top of data encryption

By using robust encryption and enforcing cybersecurity tactics, businesses can save on average $1.4 million for each attack, as reported by the Ponemon Institute. Here are 15 encryption statistics that will bring light to the encryption conundrum faced by the global business environment.

While the implementation of data encryption solutions is never the direct responsibility of the DPO, collaborating with IT and InfoSec to ensure the proper solutions are deployed is only going to benefit your privacy program. ⚠️ Scratch that: it might depend on it.

6. Advocate for access controls & multi-factor authentication

Access controls and multi-factor authentication are critical components of an organisation's data protection strategy. While their implementation and management typically fall under the purview of InfoSec, you should also be concerned: according to a report by Varonis, 53% of companies leave over 1,000 sensitive files and folders unencrypted and open to all of their employees.

Access controls can limit access to sensitive data to only authorised personnel, and multi-factor authentication can all but eradicate the risk of unauthorised access to individual accounts. 🚀 Yes, it is that effective: according to Microsoft, multi-factor authentication can prevent up to 99.9% of account hacks.

7. Build a solid incident response plan

Having an incident response (IR) plan in place is essential for responding to a personal data breach. The plan should outline the necessary steps to be taken in the event of an incident, including the roles and responsibilities of each IR team member. 

According to the IBM’s Cost of a Data Breach 2022 report, organisations with a regularly tested IR plan saved an average of $2.66 million in breach costs compared to those without a plan.

You might want to check out one of our articles on the topic, for a step-by-step approach: 

🔗 Privacy incident response planning: a playbook for DPOs

Final thoughts

Navigating the challenges of data privacy in a hybrid work environment can be a daunting task, but it's also an opportunity for you to shine as a privacy professional. Mainly by nurturing a culture of data protection and collaborating closely with InfoSec, you can help your organisation achieve privacy compliance without compromising productivity. 

—

Did you find this article helpful? Stay tuned for more by 📌 following our Social Media pages and/or 👉 subscribing to our weekly newsletter. We'll keep you up to date on topics such as Privacy Management, Information Security, and GDPR compliance.

Photo by Sigmund on Unsplash