Working from home? The GDPR still applies.
Get the work done
A global push towards remote working, and the unique circumstances of 2020, have created a keen focus on getting the work done from anywhere. While your business focuses on ensuring that service and delivery doesn’t falter when the office is closed, it’s critically important to keep GDPR compliance and cyber security in mind. Here are five ways to secure your remote working environments:
1. A remote access policy
In designing and developing the GDPR, legislators took note of the need to secure personal data as it moves around, in transit. This type of data movement is common within remote work settings. A remote access policy is an important part of your business’ GDPR policies and procedures. Your remote access policy should include:
- A set of policies, procedures, standards, and systems that are used to ensure the security of personal information.
- A set of security tools that each remote working environment uses. These may include VPNs, user authentication tools, encryption, and other security systems.
2. Secure data in transit and at rest
Your team works from home, works from a coffee shop, or works from an aeroplane. Just as your team moves around, personal data does too. The GDPR inherently recognises this movement of personal data and requires protection over the data with adequate safeguards such as encryption. In practice, we would refer to data in various states, such as “data at rest” or “data in transit” when determining appropriate or adequate safeguards over the relevant states. Data is considered to be “in transit” when it is travelling between two points:
- This could be physical, when a team member is transporting data on a laptop or similar device.
- It could also be technical, as data moves from a server to a front end, or is moving between devices.
An example of data at rest would be when it is stored on a particular device. This could mean the personal data is stored on a laptop, memory stick, or other type of equipment. There are many ways to protect data in transit and at rest. As part of your remote working procedures, you need to ensure personal data is secured and protected, no matter when and how it is accessed. Your business should use identity, access and user management tools to ensure personal data stays secure, no matter where your team works from.
3. Security tools and policies
Anti-malware software, anti-virus software, and secure browsing tools are mission critical technologies that your remote working teams must use. Similarly, encryption tools and systems can help to secure personal data, even when a device – like a laptop or mobile phone – is lost or stolen.
4. Two-factor authentication
Preventing phishing attacks, and other types of unauthorised access to personal data, is important. Using two-factor authentication tools and systems can help to secure personal data and ensure your remote working environments do not spell opportunity for hackers.
5. Who needs what data
There’s another level of data protection that often gets overlooked: the simple tactic of access. Your remote working teams don’t need access to every piece of information your business stores and uses. By deploying user and task-focused data policies, it’s possible to secure personal data, while ensuring your teams have the information they need, to get their work done.
Data breaches and personal responsibility
Training your employees to work from a perspective of data protection by design, is important for remote working teams. The most common cause of data breaches is simple human error. For guidance on how to secure your remote working environments, or to set up a training workshop, get in touch with ProPrivacy. We’d love to help your business and your teams flourish, while staying secure, from anywhere in the world.
Philipa is the lead consultant and auditor at ProPrivacy. With clients as far afield as Canada, South Africa, Kenya, Germany, Spain and other such exotic locations, besides Cork and elsewhere in Ireland, Philipa enjoys a broad view of the state of data protection, privacy and cyber security worldwide. Philipa’s passion is manageable data compliance for SMEs.
Philipa is a qualified teacher besides holding a computer science (Bachelor of Science in Artificial Intelligence Programming) and electronic and intellectual property law (LLB) qualified. She is trained in constitutional (fundamental) rights litigation and enjoys a good debate.
Philipa has over twenty years of experience working in different sized organisations and sectors on operational, governance, risk management and compliance matters. She is an analytical and focused person that enjoys a challenge in the workplace. She loves technology, systems and people and has a passion for showing people how technology can make life easier and better. She understands that the world is driven by data today but privacy is paramount. Responsibly developed AI excites Philipa for the future.