GDPR: The implications of working from home or on the road

Remote working has become an increasingly popular option for organisations over the past few years, thanks to technological advancements that help employees stay connected and productive while out of the office.

These technologies are more than essential than ever in light of the COVID-19 pandemic. Social distancing has forced many of us to stay at home for the foreseeable future, meaning remote working is, for many, no longer an option but a necessity.

As you will have already noticed, your new work setup will come with many new challenges, including the way you protect sensitive data. Without the security protections that come with being in the office, such as whitelisted IP addresses, you are vulnerable to an array of security vulnerabilities.

Information security must therefore be a top priority during this time. The last thing you need while managing so many other problems is to suffer a data breach.

The best place to start when it comes to staying secure is the GDPR (General Data Protection Regulation).

The Regulation helps organisations understand the security risks they face and the measures you should implement to mitigate them. By evaluating your compliance posture, you guarantee that you have considered the ways your systems might be compromised.

So what aspects of the GDPR can help you stay safe during this crisis? Let’s take a look.

Data protection

Whenever an organisation creates a new way of accessing its data, it puts that data at greater risk. Remote working intensifies that risk as it can be hard for the employee and the organisation to know when the data is breached, and it will be even harder to identify how it happened.

Organisations should address vulnerabilities to its networks and the physical storage of data.

Most remote workers will, by necessity, have to move data (or devices that can access that data) into public spaces.

That opens up the risk of data being mislaid. Many breaches have occurred from documents being left on trains, USB sticks falling out of someone’s pocket or laptops being stolen.

Although it’s hard to stop personal data being mislaid (there’s not much an organisation can do other than create strict data protection policies), there are ways to mitigate the damage once the data is breached.

Setting strict access rights means that, should a criminal get hold of the employee’s laptop or other work device, they would only be able to view a portion of the company’s personal data.

Organisations also need to protect data that’s held on devices. This can be achieved by encrypting or pseudonymising data before it is transferred (which is discussed in more detail below).


To protect work laptops and devices from misuse, organisations may be tempted to implement software to track how employees (or criminals) use the device.

There’s plenty of software that can log keystrokes or track mouse movements, but this poses problems with complying with the GDPR.

Remote employees may well keep irregular hours and use their devices for both personal and work reasons, so it’s impossible to differentiate between monitoring an employee’s work and private life. Therefore, there’s no way of monitoring devices without violating your employees’ right to privacy.

It will also be difficult to find a lawful basis to process data. As the Article 29 Working Party writes:

Technologies that monitor communications can […] have a chilling effect on the fundamental rights of employees to organise, set up workers’ meetings, and to communicate confidentially (including the right to seek information).

Owing to the capabilities of such technologies, employees may not be aware of what personal data are being processed and for which purposes, whilst it is also possible that they are not even aware of the existence of the monitoring technology itself.”

Data transfers

Whenever data is transferred from one location to another, it should be pseudonymised or encrypted to protect it from being leaked.

Pseudonymisation masks data by replacing identifying information with artificial identifiers. Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.

Like pseudonymisation, encryption obscures information by replacing identifiers with something else. However, whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.

Pseudonymisation and encryption can be used simultaneously or separately.

Boost your GDPR expertise

You can find out more about how to ensure your organisation is compliant with our Certified GDPR Foundation Distance Learning Training Course.

This course provides a comprehensive overview of the GDPR, and is an essential solution to help you tackle the data protection risks resulting from the novel coronavirus pandemic.

If your organisation is among the many following work from home policies, you’ll have first-hand experience of the strain caused by the growing dependence on digital tools – many of which may be unfamiliar to your team – and the uncertainty surrounding your business operations.

These issues weaken your security measures and open the door for cyber criminals, whose operations will thrive during the chaos.

Without in-person support from data protection and cyber security experts, staff rely on managers more than ever for guidance on how to work safely and within the GDPR’s requirements.

By enrolling on this course, you’ll learn everything you need to lead your team through these challenging times.

A version of this blog was originally published on 25 September 2017.


  1. JJ 20th April 2020
  2. Luke Honeybourne 24th April 2020

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.