The Compliance Risk with Homeworkers

Having employees work from home has always posed challenges to an organisation’s compliance. Now that homeworking is increasingly common and entrenched in the economy, these challenges are more widespread. And homeworking does not mean any lessening of an employer’s compliance responsibilities.

For example, the HSE explicitly states that ‘As an employer, you have the same health and safety responsibilities for home workers as for any other workers’. This is also true for employer responsibilities relating to data protection and mental wellbeing.

Homeworking challenges

Many of the homeworking compliance challenges stem from employers having less direct oversight over aspects of the workplace setup. In their workplace, the organisation has control over things like the setup of desks, safety equipment, and information technology and communication (ITC) equipment. This allows organisations to control display screen equipment (DSE) risks by, for example, supplying and setting up ergonomic desks, chairs, accessories and managing temperature. Having control over physical ITC, eg routers and firewalls, allows organisations to mitigate some data protection and cybersecurity risks.

The workplace also brings employees together, facilitating teamwork, collaboration and social interaction – all of which has a positive effect on employee wellbeing and creativity.

It is possible to place the compliance risks homeworking introduces into three categories: display screen equipment (DSE), data protection and cybersecurity, and employee wellbeing.

Display screen equipment (DSE)

Homeworking environments should meet all the same DSE standards as an organisation’s workplace, and they must meet fire safety standards too. However, your employees will have varied home and living circumstances. They will have different sized homes, live with different people (eg family or housemates), and have different equipment needs.

Data protection and cybersecurity

Many homeworking employees will share their network with their family or housemates, which increases the risk of an accidental data breach. Homeworking can also strain the ability of your organisation to react to and remedy a data breach. Many of your employees might be using insecure routers or will be using their routers with only basic security features enabled, leaving them vulnerable to hacking attempts.

Employee wellbeing

Some homeworkers might spend their entire working day alone. Perhaps they live alone, or their family leaves for their work or schooling. This might lead to homeworkers feeling isolated and lonely. Alternatively, with the workplace always nearby, homeworkers might work longer hours, which can lead to employee stress and burnout.

Ensuring compliance with your homeworkers

In the rest of this article, we will discuss what your organisation should do to ensure compliance while facilitating homeworking for employees. We will focus on general principles that apply to nearly all organisations. However, you need to consider if your organisation has any industry or product-specific requirements. For example, your IT team might have to investigate access and file control mechanisms for homeworkers.

Risk assessments, training and policies are the foundations of a compliance strategy, and they are implemented widely. Organisations sometimes go through the motions of risk assessments by relying on their knowledge and experience of the workplace and do not engage their employees. Many organisations rely on in-person training and demonstrations or they use elearning courses that are not maintained, are poorly researched and that are not engaging or not relevant. Some organisations distribute policies but would struggle to show that employees have read or understood them.

Risk assessments

With homeworking environments, the employee must have an active role in the risk assessment process. As the employer does not control the environment, it is not feasible for them to:

  • Rely on an individual manager’s judgement alone
  • Apply assessments designed for the workplace to the home environment
  • Implement solutions based on past experience of the workplace

The homeworker is best placed to assess the homeworking space they can provide. They will be able to indicate what type of equipment they need, the potential data protection threats and how homeworking is affecting their wellbeing.

Just like in an office, situations change and develop over time. The HSE say that DSE risk assessments should be repeated when ‘a new workstation is set up; a new user starts work; a change is made to an existing workstation or the way it’s used, users complain of pain or discomfort’. The same applies to homeworkers. Homeworkers might also need to consult with their IT team about any changes to the home network, eg a new router or change of internet provider.

A risk assessment solution should be flexible and have the ability to be deployed quickly. Ideally, the employee should be able to find and submit a risk assessment whenever a change of circumstance arises.

Training

Data protection and cybersecurity compliance require training and refresher training. Cybercriminals are quick to adapt to what they see as new opportunities. For example, during the Covid-19 pandemic, cybercriminals quickly pivoted to incorporating the fear and uncertainty the pandemic generated into their phishing emails. Some of these emails were successful. The majority, if not all, could have been avoided by applying cybersecurity best practices; eg checking the email’s sender and not downloading attachments from unknown senders. Recurring and automated phishing or cybersecurity training helps keep employees aware and vigilant of the threats and tactics posed by cybercriminals.

Moving from an office to homeworking is a key time to refresh employees on their responsibilities under data protection legislation. All GDPR-related regulations are still in place and indeed, require extra care by the employee. It is important that homeworkers are not under any illusions that their compliance responsibilities diminish because they are not in the workplace. An easy to distribute and comprehensive e-learning course can help re-emphasise how crucial data protection is.

Further, training is one way an organisation can help the wellbeing of homeworking employees. It is an appropriate way to inform employees of mental wellbeing strategies such as stress management, mindfulness, resilience, good nutrition and physical activity. Homeworkers can incorporate what they learned in training to their working day and life. Training on these subjects can also encourage dialogue in the organisation, which will foster a supportive and healthy dynamic.

While there is a definite place for off-the-shelf training solutions, a little bit of customisation can go a long way. Every organisation does something a little different, eg different software packages. Being able to rapidly edit training solutions to include information specific to your organisation and its policies, procedures, and tools will make the training relevant and interesting.

The training and compliance needs of organisations are constantly changing, and because of this, automating the enrolment and re-enrolment of training can be a powerful tool. Health and safety, compliance or learning and development teams benefit greatly. Automated enrolments allow them to focus on more complex tasks while minimising human error and time spent on these repetitive administrative tasks.

Policies

Policies are critical. They define the standards of behaviour and levels of professionalism you require from employees. Good policies that are understood and implemented can create a culture of compliance. Your organisation probably has many of the relevant policies, eg data protection, cybersecurity, work-related stress. However, many organisations bundle policies into a physical employee information booklet that they give to employees when they join – never to be looked at again. Other organisations rely on emailing policies to employees, which makes proving acceptance and understanding very challenging.

The ever-changing business, regulatory and societal situation we live in requires solutions that allow policies to be created, updated and distributed quickly and that keeps reliable records of employee engagement. For example, organisations that switched to homeworking due to Covid-19 would have had to update cybersecurity or work-related stress policies rapidly. Many had to create a homeworking policy from scratch. Once the policies were finalised they needed the employees to get them, read, and sign them promptly.

It is also useful to go beyond a passive ‘tick to agree’ approach to policies. For this, testing can be valuable. Testing employees on the contents of the policy is a great way to ensure a high level of understanding, and this will help employees apply compliance best practices naturally.

Final thoughts

Risk assessments, training, and policies can all work in sync. Risk assessments can help your organisation respond to the peculiarities of each homeworker’s situation. The results of risk assessments can also help define training needs and inform policy responses. For example, a risk assessment might show that homeworkers have additional wellbeing needs, for which training might be one part of a solution.

Good training that engages employees and provides up-to-date and well-researched information can bring policies to life. A policy might demand that an employee uses strong passwords. Training teaches them why this is important, then how to create secure passwords, thus making the behaviour natural to the employee.

If you need to ramp up your compliance efforts, EssentialSkillz has a service for you. We provide off-the-shelf elearning courses on DSE, homeworking, data protection, cybersecurity, stress management, mindfulness, resilience, nutrition, physical activity and more. We have off-the-shelf employee-led risk assessments for DSE, lone-working and homeworking. Further, our courses and risk assessments are easily tailored to suit your organisation’s specific needs. You can use our powerful Compliance Platform to distribute the courses and assessments, or we can integrate with your current systems.

Our Compliance Platform provides a policy distribution and reporting tool that allows:

  • Rapid policy distribution
  • Employees to declare they have read the policy
  • Secure recording of the employee’s agreement with the policy

 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.