GDPR Compliance and Remote Work

The Challenge for GDPR Compliance and Remote Work


The measures we all must take to slow the spread of COVID-19 will inevitably disrupt most organizations. Reducing the impact on your business is paramount.

One area you might not have considered is how to maintain compliance with the GDPR (General Data Protection Regulation). If you’ve introduced remote working, this will be especially challenging.

Defining and addressing the specific risks around remote workers remains a challenge, not only because of the broad reach of GDPR. While data protection laws like GDPR don’t prevent remote work, but you’ll need to consider the same kinds of security measures for remote staff that you’d use in normal circumstances. But what does this mean in practical terms?

Taking a Risk-Based Approach

The GDPR calls for appropriate technical and organizational measures to safeguard personal data. Determining what is relevant requires regular risk assessments, but you might not have had time to accurately assess the impact and likelihood of homeworking risks before sending your staff home.

Here are some areas you should consider:

1.     Issues With Bring Your Own Device (BYOD)

According to the General Data Protection Regulation (GDPR), the data controller must be in control of the data at all times, which is near impossible when the controller does not own the device where the data is being accessed or stored (i.e. in a BYOD model).

Further problems with BYOD come from the increased risk of data breaches. For instance, if staff visit sites or download apps that you would typically blacklist, their machines might become infected with malware, putting information at risk.

Finally, with free reign over the app store and open browser access, employees with BYOD devices often use unsanctioned cloud storage services like DropBox and Box to store corporate data. This can pose significant challenges for GDPR compliance.

GDPR Recommendation:

Create a BYOD policy as part of your end-user IT policy and have this reviewed by your security team. Have all employees read, sign, and understand the procedures and keep it updated on your intranet or applicable document store

2.     The Human Factor

The most significant risk when working remotely usually relates to information security being compromised (as a result of human error).

People are always credited as the weakest link in any cybersecurity system, which is why the vast majority of malware – as much as 99% by Proofpoint’s estimate – is delivered via phishing campaigns. Phishing attacks exploiting the coronavirus outbreak have seen a considerable increase.

GDPR Recommendations:

Training and awareness play a huge part in ensuring that remote workers are aware of these threats.

If staff start receiving emails with requests or attachments/links from unfamiliar senders or unfamiliar requests from recognized senders, then the organization needs to ensure that they’re aware of what to do. This includes providing information on who to contact if they receive suspicious emails or requests that seem unfamiliar (even if that request is from a reliable source).

3.     Meeting Your Other GDPR obligations

Beyond the need to ensure you have appropriate technical and organizational security measures in place, as a data controller, you have to ensure you can facilitate data subjects’ rights.

Meeting the requirements of DSARs (data subject access requests), for instance, might be lower on your list of priorities at the moment. That’s entirely understandable.

However, if your resources are too stretched, don’t worry. The ICO states:

“We won’t penalize organizations that we know need to prioritize other areas or adapt their usual approach during this extraordinary period.”

The disruption caused by COVID-19 is inevitable, and it seems that we’re only at the start. You have enough to worry about without contending with things like cybersecurity and GDPR compliance issues. Taking a few small steps at this challenging time can help you protect yourself from GDPR compliance issues.


Want to learn more, please check out our SaaS Security eBook.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.


Want to stay informed on Augmentt’s progress? Please sign up for our regular updates. We won’t spam you, we promise!

[contact-form-7 id=”2641″ title=”Newsletter footer form”]

Telephone: 888-670-8444
Fax: 647-372-0393

450 March Rd – Unit 102
Kanata, Ontario, Canada
K2K 3K2


450 March Rd.
Unit 102
Kanata, Ontario
K2K 3K2
(fax) 647-372-0393


If you wish to receive our latest news in your email box, just subscribe to our newsletter. We won’t spam you, we promise!

[contact-form-7 id=”2639″ title=”Newsletter footer form”]

Copyright 2022. Augmentt Technology Inc.  All rights reserved.