GDPR and working from home: what’s the impact?

Remote working has become an increasingly popular option for organisations over the past few years, thanks to technological advancements that help employees stay connected and productive while out of the office.

These technologies are more than essential than ever in light of the COVID-19 pandemic. Social distancing has forced many of us to stay at home for the foreseeable future, meaning remote working is, for many, no longer an option but a necessity.

As you will have already noticed, your new work setup will come with many new challenges, including the way you protect sensitive data. Without the security protections that come with being in the office, such as whitelisted IP addresses, you are vulnerable to an array of security vulnerabilities.

Information security must therefore be a top priority during this time. The last thing you need while managing so many other problems is to suffer a data breach.

The best place to start when it comes to staying secure is the General Data Protection Regulation (GDPR).

The Regulation helps organisations understand the security risks they face and the measures you should implement to mitigate them. By evaluating your compliance posture, you guarantee that you have considered the ways your systems might be compromised.

So, what aspects of the GDPR can help you stay safe during this crisis? Let’s take a look.


Data protection

Whenever an organisation creates a new way of accessing its data, it puts that data at greater risk. Working remotely intensifies that risk as it can be hard for the employee and the organisation to know when the data is breached, and it will be even harder to identify how it happened.

Organisations should address vulnerabilities to its networks and the physical storage of data.

Most remote workers will, by necessity, have to move data (or devices that can access that data) into public spaces.

That opens up the risk of data being mislaid. Many breaches have occurred from documents being left on trains, USB sticks falling out of someone’s pocket or laptops being stolen.

Although it’s hard to stop personal data being mislaid (there’s not much an organisation can do other than create strict data protection policies), there are ways to mitigate the damage once the data is breached.

Setting strict access rights means that, should a criminal get hold of the employee’s laptop or other work device, they would only be able to view a portion of the company’s personal data.

Organisations also need to protect data that’s held on devices. This can be achieved by encrypting or pseudonymising data before it is transferred (which is discussed in more detail below).


Privacy

To protect work laptops and devices from misuse, organisations may be tempted to implement software to track how employees (or criminals) use the device.

There’s plenty of software that can log keystrokes or track mouse movements, but this poses problems with complying with the GDPR.

Remote employees may well keep irregular hours and use their devices for both personal and work reasons, so it’s impossible to differentiate between monitoring an employee’s work and private life. Therefore, there’s no way of monitoring devices without violating your employees’ right to privacy.

It will also be difficult to find a lawful basis to process data. As the Article 29 Working Party writes:

Technologies that monitor communications can […] have a chilling effect on the fundamental rights of employees to organise, set up workers’ meetings, and to communicate confidentially (including the right to seek information).

Owing to the capabilities of such technologies, employees may not be aware of what personal data are being processed and for which purposes, whilst it is also possible that they are not even aware of the existence of the monitoring technology itself.


Data transfers

Whenever data is transferred from one location to another, it should be pseudonymised or encrypted to protect it from being leaked.

Pseudonymisation masks data by replacing identifying information with artificial identifiers. Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.

Like pseudonymisation, encryption obscures information by replacing identifiers with something else. However, whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.

Pseudonymisation and encryption can be used simultaneously or separately.


Control your remote work risks

As with any cyber security risk, the issues caused by remote working can be mitigated through effective documentation.

Our Remote Working Policy Template contains everything you need to know, including guidance on storing devices securely, requirements for creating and maintaining strong passwords, and an example acceptable use policy.

Developed by information security and data privacy experts, this template helps you quickly create and implement your own remote working policies and procedures. All you need to do is customise it to fit the specifics of your organisation.


A version of this blog was originally published on 25 September 2017.

2 Comments

  1. JJ 20th April 2020
  2. Luke Honeybourne 24th April 2020

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.