COVID-19 – Remote Working and Data Protection Implications

Source: covid19.law

The fight against the COVID-19 pandemic has caused a vast majority of organisations to adapt work from home arrangements for most of their employees. The GDPR and data privacy laws require organisations to make sure that personal data remains protected and processed in accordance with the GDPR even when it is being handled remotely.  In particular, Principle 6 of the GDPR requires the businesses to take appropriate technical and organisational measures to protect personal data.

Conducting activities remotely, however, poses a number of complex challenges from a data protection perspective. Under the GDPR, a personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Therefore, such a breach occurs not only when information is ‘leaked’ and obtained by unauthorised parties (e.g. due to a cyber-attack), but also when access to data is lost, either through losing documents or damaging data carriers (such as corporate USB sticks).

Risks to Personal Data Associated with Remote work

Whenever an organisation creates a new way of accessing its data, it puts that data at greater risk. Remote working exacerbates that risk as it can be hard for the employee and the organisation to know when the data is breached, and it will be even harder to identify how it happened. There are some circumstances that make organisations more vulnerable to such threats and constitute potential data security gaps. These include:

• Violating the organisation’s guidelines by the employees on processing, storing or sending information, using inadequately secured private or mobile devices (with no antivirus software, out-of-date operating system software and applications, no encryption solutions, etc.) or using an unsecured Wi-Fi network (e.g. with no strong password);
• Having no back-up plan or alternative communication and work scenarios in the event that basic remote work resources (such as the VPN or communication platform) become unavailable (e.g. due to overload);
• Access by third parties to the company device or company sensitive documents (for example, family members / friends can use the device);
• Hardcopy material used at the remote worksite can be lost or stolen;
• Loss or theft of company device;
• Transferring documents and data carriers (e.g. from the office to home);
• Hindered access to people providing support on data protection (IT, DPO, Compliance Officer, etc.);
• The employees having low awareness of threats related to personal data protection.

Ways to counteract these threats and how to stay compliant with the GDPR

Create a remote work policy and procedure	Organisations should develop and implement remote work policy and procedures. A remote work policy is an agreement that outlines when and how employees can work from locations other than the office, the best practices to follow including cybersecurity requirements and how to keep personal data safe.
Create a remote data access policy	A remote data access policy is simply a set of rules that identify clearly whom should have access to what. It should state clearly the names and the responsibilities of every individual that has the right to access company’s servers. No employees, whether remote or not, should have complete access to the company’s servers or to files they don’t use for their daily tasks.
Encrypt devices	Encrypt all remote employees’ devices and enforce data encryption on all devices. You can install an encryption software which encrypts the whole disk or only certain files. Another option is to install a remote-wipe app which erases all data when the device gets stolen or lost.
Data Transfer	Whenever data is transferred from one location to another, it should be pseudonymised or encrypted to protect it from being leaked.
Set a clear notification procedure	A clear and actionable procedure should be in place for your employees to be able to report breach incidents to authorised individuals. You should make sure your employees understand what constitutes a data breach and they should clearly understand the actions they should take if they discovered such incident.
Education and awareness	It is best practice to raise a higher level of data security awareness and provide training before the crisis situation occurs. However, once we find ourselves in an emergency, it is worth intertwining information on personal data protection threats into the well-established crisis communication channel. For example, one can make employees aware that they can be particularly vulnerable to phishing attacks, involving clickable information on coronavirus (scammers used spread maps for this purpose). They should also know what they should do in such an event (e.g. immediately inform IT).

Undoubtedly, COVID-19 is a worldwide health concern, but do not let it become a data protection issue too. You should put in place steps to prevent those risks from becoming a data breach that could potentially expose your organisation with an administrative fine or penalty as allowed under the GDPR.

 

Author: Farman Sayed