GDPR: The implications of working from home or on the road

More employees than ever now work remotely, and whether they’re at home, on a business trip or commuting, provisions need to be put in place to make sure data isn’t misused, mislaid or misappropriated.

This has typically meant encrypting data, creating access management policies or providing security software for employees’ devices. But as the EU General Data Protection Regulation (GDPR) nears, organisations need to make sure their provisions meet the Regulation’s requirements.

Here are some of the issues organisations should be aware of.

Data protection

Whenever an organisation creates a new way of accessing its data, it puts that data at greater risk. Remote working intensifies that risk as it can be hard for the employee and the organisation to know when the data is breached, and it will be even harder to identify how it happened.

Organisations should address vulnerabilities to its networks and the physical storage of data.

Most remote workers will, by necessity, have to move data (or devices that can access that data) into public spaces. That opens up the risk of data being mislaid. Many breaches have occurred from documents being left on trains, USB sticks falling out of someone’s pocket or laptops being stolen.

Although it’s hard to stop personal data being mislaid (there’s not much an organisation can do other than create strict data protection policies), there are ways to mitigate the damage once the data is breached. Setting strict access rights means that, should a criminal get hold of the employee’s laptop or other work device, they would only be able to view a portion of the company’s personal data. Organisations also need to protect data that’s held on devices. This can be achieved by encrypting or pseudonymising data before it is transferred (which is discussed in more detail below).

Privacy

To protect work laptops and devices from misuse, organisations may be tempted to implement software to track how employees (or criminals) use the device. There’s plenty of software that can log keystrokes or track mouse movements, but this poses problems with complying with the GDPR.

Remote employees may well keep irregular hours and use their devices for both personal and work reasons, so it’s impossible to differentiate between monitoring an employee’s work and private life. Therefore, there’s no way of monitoring devices without violating your employees’ right to privacy.

It will also be difficult to find a lawful basis to process data. As the Article 29 Working Party writes: “Technologies that monitor communications can […] have a chilling effect on the fundamental rights of employees to organise, set up workers’ meetings, and to communicate confidentially (including the right to seek information).

“Owing to the capabilities of such technologies, employees may not be aware of what personal data are being processed and for which purposes, whilst it is also possible that they are not even aware of the existence of the monitoring technology itself.”

Data transfers

Whenever data is transferred from one location to another, it should be pseudonymised or encrypted to protect it from being leaked.

Pseudonymisation masks data by replacing identifying information with artificial identifiers. Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.

Like pseudonymisation, encryption obscures information by replacing identifiers with something else. However, whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.

Pseudonymisation and encryption can be used simultaneously or separately.

Learn more about the GDPR

To find out more about preparing for the Regulation, you should enrol on one of our GDPR training courses. Depending on your level of expertise, you might be interested in either:

Certified EU General Data Protection Regulation Foundation (GDPR) Training Course

Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course

These courses are available in both classroom and distance learning formats.

Book these courses together in our Combination Course and save 15%.

Leave a Reply

Your email address will not be published. Required fields are marked *