The Challenge for GDPR Compliance and Remote Work
The measures we all must take to slow the spread of COVID-19 will inevitably disrupt most organizations. Reducing the impact on your business is paramount.
One area you might not have considered is how to maintain compliance with the GDPR (General Data Protection Regulation). If you’ve introduced remote working, this will be especially challenging.
Defining and addressing the specific risks around remote workers remains a challenge, not only because of the broad reach of GDPR. While data protection laws like GDPR don’t prevent remote work, but you’ll need to consider the same kinds of security measures for remote staff that you’d use in normal circumstances. But what does this mean in practical terms?
Taking a Risk-Based Approach
The GDPR calls for appropriate technical and organizational measures to safeguard personal data. Determining what is relevant requires regular risk assessments, but you might not have had time to accurately assess the impact and likelihood of homeworking risks before sending your staff home.
Here are some areas you should consider:
1. Issues With Bring Your Own Device (BYOD)
According to the General Data Protection Regulation (GDPR), the data controller must be in control of the data at all times, which is near impossible when the controller does not own the device where the data is being accessed or stored (i.e. in a BYOD model).
Further problems with BYOD come from the increased risk of data breaches. For instance, if staff visit sites or download apps that you would typically blacklist, their machines might become infected with malware, putting information at risk.
Finally, with free reign over the app store and open browser access, employees with BYOD devices often use unsanctioned cloud storage services like DropBox and Box to store corporate data. This can pose significant challenges for GDPR compliance.
GDPR Recommendation:
Create a BYOD policy as part of your end-user IT policy and have this reviewed by your security team. Have all employees read, sign, and understand the procedures and keep it updated on your intranet or applicable document store
2. The Human Factor
The most significant risk when working remotely usually relates to information security being compromised (as a result of human error).
People are always credited as the weakest link in any cybersecurity system, which is why the vast majority of malware – as much as 99% by Proofpoint’s estimate – is delivered via phishing campaigns. Phishing attacks exploiting the coronavirus outbreak have seen a considerable increase.
GDPR Recommendations:
Training and awareness play a huge part in ensuring that remote workers are aware of these threats.
If staff start receiving emails with requests or attachments/links from unfamiliar senders or unfamiliar requests from recognized senders, then the organization needs to ensure that they’re aware of what to do. This includes providing information on who to contact if they receive suspicious emails or requests that seem unfamiliar (even if that request is from a reliable source).
3. Meeting Your Other GDPR obligations
Beyond the need to ensure you have appropriate technical and organizational security measures in place, as a data controller, you have to ensure you can facilitate data subjects’ rights.
Meeting the requirements of DSARs (data subject access requests), for instance, might be lower on your list of priorities at the moment. That’s entirely understandable.
However, if your resources are too stretched, don’t worry. The ICO states:
“We won’t penalize organizations that we know need to prioritize other areas or adapt their usual approach during this extraordinary period.”
The disruption caused by COVID-19 is inevitable, and it seems that we’re only at the start. You have enough to worry about without contending with things like cybersecurity and GDPR compliance issues. Taking a few small steps at this challenging time can help you protect yourself from GDPR compliance issues.
