Are you going to check your work emails from abroad? I know what some of you are thinking already.
“I’m not taking work on holiday.”
Neither am I.
But if I’m honest, I will probably check my emails once or twice while I’m away. If a client has a problem, if a website falls over or if something urgent crops up, I’ll want to know about it. And I do like to keep an eye on whether the people who promised to pay me actually did!
That’s when I started wondering what else I might be taking abroad besides a passport, a swimsuit and a phone charger.
A few years ago, this would have been a much simpler question. Many of us worked primarily from a laptop and perhaps a work phone.
Today, for many small business owners, the phone has become the business. We often have only one personal and work phone so leaving it at home is not an option. It contains our: emails, calendars, contacts, booking systems, banking apps, customer messages, authentication tools and access to countless online services.
If you’re planning a holiday this summer and suspect you might take a quick look at your inbox while you’re away, you need to ask yourself some questions:
What Business Information Can You Access From Your Phone?
Many people don’t think they store much business information on their phone. Then they start listing the apps they use every day and realise just how much information is only a few taps away.
You can easily view: Emails. Customer records, Booking systems, Payment notifications, Photographs, Cloud storage, Social media accounts, Password managers, Authentication apps and more.
If you haven’t already read it, you may also find my article Your Phone Is Now Part of Your Business Security System useful.
For some businesses, that may include children’s data, health information, confidential client records or commercially sensitive information.
You may not have deliberately downloaded any of this data onto your phone. Modern systems are designed to make information available wherever you happen to be. That’s often convenient. But if you are viewing it abroad, you are ‘processing’ it abroad. Even if that’s all you do. And who can look at emails and not reply to a single one? That takes strength.
As I was preparing for my own trip, I found myself asking a simple question.
If this phone disappeared tomorrow, what information would I lose access to and what information might be affected?
What Happens If Your Phone Is Lost, Stolen or Broken?
Some people travel with a laptop, phone and tablet. Others rely almost entirely on their phone.
Whatever your arrangement, it is worth thinking about what would happen if your main device suddenly wasn’t available.
We often worry about hackers, but most travel-related problems are far less dramatic. Phones get left in taxis. Tablets are forgotten in airport lounges. Devices stop charging, get dropped in swimming pools or simply decide to stop working at the least convenient moment. My phone’s favourite trick is to start wanting 12 hours to recharge on different voltages via a converter!
That can be irritating if all you’ve lost are your holiday photos. It becomes much more serious if you’ve also lost access to your email, customer records, banking apps, booking systems and authentication codes.
Modern devices are generally secure, particularly if you turn on all the security features provided by the manufacturer.
However, today’s question isn’t simply whether somebody else could access your information.
It’s whether you could still access your business.
If your phone disappeared tomorrow, could you still get into your email? Do you know where your passwords are stored? Could you receive authentication codes? Do you know how to locate, lock or wipe a missing device?
Many people discover that their passwords, authentication app and recovery information are all stored on the same phone. That arrangement works perfectly until the day the phone is no longer available.
Does Checking Work Emails From Abroad Create A GDPR Issue?
This was one of the questions that occurred to me while planning my own trip.
If I check work emails from France, access customer records or log into business systems while I’m away, what exactly is happening from a GDPR perspective?
People often ask me if a cross border data processing pack is necessary for a holiday.
Many people assume there must be a simple answer. Perhaps a week doesn’t count but a month does. Perhaps GDPR only becomes relevant if you move abroad permanently.
The legislation doesn’t work like that.
There is no holiday exemption and there is no 14-day rule.
If personal data is being viewed, it is being processed. If that viewing takes place outside the UK, then the processing is taking place outside the UK.
That doesn’t automatically mean you shouldn’t check your emails while you’re away. Nor does it automatically mean you need to cancel your holiday and spend the next month completing paperwork (not that ours would take you that long!).
What it does mean is that there are questions worth asking before you leave rather than after you arrive.
For many small businesses, the biggest issue isn’t that they’ve reached the wrong conclusion. It’s that they’ve never realised there was a question to consider in the first place.
Does Your Phone Need A Passport?
Of course it doesn’t.
Yet the little rectangle sitting in your pocket may be carrying access to customer records, children’s information, client databases, contracts, banking systems and authentication tools.
It may not need a passport, but it is crossing borders with a surprising amount of information.
That doesn’t make travel impossible. It simply means it is worth thinking about what is actually happening.
Many of us spend more time checking whether we’ve packed a charger than considering what our phone can access once we arrive.
Perhaps it deserves a place on the holiday checklist after all.
Business Owners And Business Supporters Need To Ask Different Questions
As I was thinking about this article, it struck me that not everybody reading it will be looking at the same risks.
A childcare provider checking booking information from Spain and a Virtual Assistant accessing a client’s customer database from Spain may both be sitting beside the same swimming pool. However, they are not necessarily asking the same questions.
If you are a business owner accessing your own customer information while abroad, it may be worth looking at your data privacy policy and asking yourself what expectations it creates. If a parent, customer or client read it today, would they understand that information may be accessed while you are travelling? If not, should you review how your processing activities are described?
If you process personal data on behalf of clients, the starting point is slightly different.
This is a good time to review your Data Processing Agreement (DPA) or other processing documentation. For some businesses that may be a formal DPA. For others it may be a Data Processing Form or similar document recording what data is processed, where processing takes place and the arrangements agreed between the parties.
If you intend to access personal data from another country, even temporarily, it is worth checking whether the documentation still reflects reality.
Most clients will be perfectly comfortable with a holiday arrangement once they understand what is happening and what safeguards are in place.
Some will not. They may have contractual commitments of their own, sector-specific requirements, insurance obligations or simply a different view of the risks involved.
The advantage of raising the issue before you travel is that you have time to update documentation, confirm arrangements in writing or make alternative arrangements if necessary.
That’s much easier than discovering halfway through your holiday that your client expected all processing to remain within the UK.
And remember you are not asking your client for permission to go on holiday but notifying them of a temporary change of location and what you have put in place to access that date securely. And if necessary making arrangements if they are not happy with non UK processing.
Whether you are a controller or a processor, the common theme is the same. The paperwork, risk assessments, policies and expectations should reflect what is actually happening in practice.
A Few Questions Before You Leave
Before you head for the airport, ferry terminal or motorway, it may be worth taking a few minutes to ask yourself:
- What business information can I access from my phone, tablet or laptop?
- What would happen if my main device stopped working tomorrow?
- Can I still access my accounts if I lose access to my phone?
- Do I know how to locate, lock or wipe a missing device?
- Does my privacy information accurately reflect what I am doing?
- Does my processing documentation accurately reflect what I am doing?
- Whom do I need to notify and how?
- Have I actually thought about the risks (and ideally documented that thinking) before I leave?
This is not only about data security and GDPR it is also about business continuity and resilience if something goes wrong.
The challenge is that many of us never think to ask them.
Before the ducks fly
As I finish packing for my own trip, I’m reasonably confident I’ve remembered the passport, chargers and travel insurance. Whether I’ve remembered everything else remains to be seen.
What I do know is that spending half an hour thinking about my phone, my clients, my customers and my paperwork before I leave is likely to be far less stressful than trying to sort things out from a holiday apartment with patchy Wi-Fi.
I will be putting auto responders on my email not only saying i am away but if something urgent comes up I will be accessing from France and notices in my support groups. So everyone will know and everyone can say – “Don’t worry it can wait” (hopefully) or “it is urgent please access in France if you can.”
Most of us don’t need to stop travelling. Most of us don’t need to stop checking work entirely either. (Wouldn’t that be a nice thing to be able to do!!)
We just need to spend a little time making sure our ducks are in a row before they fly.
