The effect of COVID-19 on the GDPR – Working Remotely.

The effect of COVID-19 on the GDPR – Working Remotely.

Introduction

The measures that must be taken to slow the spread of the Covid-19 will inevitably cause disruption for most organisations. The new reality imposed by the current health crisis means many companies’ entire workforce will be working remotely under lockdown measures for weeks, with the possibility that the situation will extend months further into spring and early summer. One area that organisation must consider is how to maintain compliance with the GDPR.

In the ICO’s guide on what you need to know about data protection during the pandemic states that:

“Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.”

In general, the main goal of the GDPR is to ensure that consumers’ data remains both secure and private. Strong remote access security policies can help safeguard the personal and confidential data that is protected by the GDPR.

Remote access policy

A remote access policy is the set of security standards for remote employees and devices. A company’s IT or data security team will typically set the policy. Virtual private network (VPN) usage, anti-malware installation on employee devices, and multi-factor authentication (MFA) are all examples of things that can be included in a security policy for remote access.

Implementing measures to ensure compliance with the GDPR

Employers must, under the GDPR see to that personal data is processed in a secure manner, meaning that appropriate technical and organizational measures must be in place to secure the processing of any personal data. It is up to the employer to decide what is or is not an appropriate measure

Article 32 of the GDPR requires that all organizations use technological and security measures, and while there are no mandated methods, there is a list of items that are considered suitable, e.g. encryption of data. Data encryption means that only approved users can access a data set, meaning that if a laptop were lost, the data would not be accessible without the encryption keys/code.

It is not always possible to encrypt all data and therefore use of the GDPR concept of ‘pseudonymization’ may be useful. Masking data by replacing identifying information with artificial identifiers means that only part of a data set is visible, and when done correctly it cannot be ‘rebuilt’. Additionally, data passing over networks, including the Internet, should be encrypted with HTTPS, a VPN, or another method.

Protect employee endpoints

Remote employee endpoint devices, such as laptops, desktop computers, and smartphones, must be protected from cyber-attacks, because a malware infection could result in a data breach. Devices should have anti-malware software installed at a minimum. A secure web gateway can also help protect employees as they browse the Internet.

But even more common than malware infections are lost devices: laptops or smartphones with sensitive data stored locally, that employees accidentally leave in a public area. This is another reason why device encryption is incredibly important.

Train Employees on Company’s policy

Generally, organizations should train their employees on the company’s policy. The training should be regular and should supervise them closely to ensure full compliance with the company’s regulations.

Information management and security start and ends with the company, not its employees. Therefore, every organization must adopt an information management policy that will guide employees who are working from home.

Meeting your other GDPR obligations

Beyond the need to ensure you have appropriate technical and organizational security measures in place, as a data controller you have to ensure you can facilitate data subjects’ rights. Meeting the requirements of data subject access requests.

Further, employers must be able to quickly recognize, mitigate and respond to any security incident and should review their incident management processes in order to assure that they have the capabilities to act as required. Under the GDPR certain breaches must be reported within 72 hours to the relevant regulator and/or data subjects without undue delay. Employers should also communicate to their employees that any data breach must immediately be reported to the employer.

Employers should also remember the GDPR requirement that controllers must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. This documentation may retrospectively be examined by the regulator should the regulator undertake any regulatory investigations of the data breach.

Conclusion

Even in these special circumstances where remote work is next to the new normal and where many employers face enormous pressure on only being able to continue their business operations, it is crucial for the employer to remember that its responsibilities and obligations under the GDPR, and any other applicable data protection legislation, nevertheless continue. Even if employees are working from home it is, ultimately, the employer who is responsible for all applicable data protection legislation compliance.