Due to the Covid-19 outbreak more employees than ever work remotely. Even in these special circumstances where remote work is next to the new normal and where many employers face enormous pressure on only being able to continue their business operations, it is crucial for the employer to remember that its responsibilities and obligations under the GDPR, and any other applicable data protection legislation, nevertheless continue. Even if employees are working from home it is, ultimately, the employer who is responsible for all applicable data protection legislation compliance.
Below we have gathered a few considerations relating to remote work and the processing of personal data relating to employees, customers and other business partners.
Managing the secure processing of personal data
Employers (controller) must, under the GDPR see to that personal data is processed in a secure manner, meaning that appropriate technical and organizational measures must be in place to secure the processing of any personal data. It is up to the employer to decide what is or is not an appropriate measure – what can this in practice mean?
- Updating the risk assessment
In practice the above entails that each employer should carry out its own risk assessment and in this way identify the possible threats to any employee, customer or other personal data processed within its organization. The risk assessment must consider the nature of data processed (special category data or not for example) and foresee any threats that may take use of the organization’s processes or technical systems. When working remotely, unsupervised, lost and stolen devices obviously impose an increased security risk for personal data as well as work performed in public spaces (unsecure public wifi connections and visual hacking).
- Implementing appropriate security measures
While the GDPR does not provide for any mandatory methods on how the processing of personal data can be secured, the GDPR still provides a list of items that may be considered suitable when processing personal data, such as pseudonymization or encryption. Pseudonymized personal data is still personal data but it can no longer be attributed to a specific person without the use of additional information. Encryption again means that personal data is converted into a code so that its contents cannot be read and understood. Should an employee laptop be lost, for example, a third party could not get access to the personal data without the encryption key or, in case of pseudonymized data, without having the missing information for pseudonymized data.
Additional security measures to be considered include, to name a few, security and authorization policies (setting forth security measures and allowing access to personal data only to those employees who need this in order to fulfil their work tasks), controlling access to devices (only strong passwords allowed), secured internet connections, prohibition to use public wifi for work related matters, updated software and appropriate antivirus software on all remote work devices.
The employer should also in these circumstances regularly test, assess and evaluate the effectiveness of its technical and organizational measures. In this connection, the employer should also remind and educate its employees of the acceptable use and rules relating to the employer’s network, software, internet connection and device. This way the employees are, again, made aware of their rights and obligations towards the employer and what work conditions apply when working remotely.
Bring your own device (BYOD)
Employers applying the “bring you own device” principle should pay specific attention to personal data being processed in a secure way. Even if the employee’s own devices are not employer owned, the employee should be made aware that security policies of the employer organization also apply for these devices. The employer should see to that it has a proper BYOD policy in place and that all employees read, sign, and understand the policy so that they are aware of their responsibilities. A BYOD policy should naturally include instructions on the acceptable use of the device, security information (e.g. how and where personal data shall be stored and kept secure, password policy, information on which third party apps may/may not be installed, employer’s right to disconnect the device if lost etc.). The employer should also see to that any (customer) data on the employee’s own device can be retained and controlled in the event the employee decides to leave the organization.
Understanding the incident management process – Finnish National Cybersecurity Centre warns of Covid-19 relating scams
Employee negligence to employer’s trainings, guidelines and rules on the processing of personal data together with phishing scams and fraudulent websites aimed at employees pose a great security risk for the employer. A data breach may, however, also stem from very simple and minor employee action such as sending emails containing personal data to wrong recipients.
Employers must be able to quickly recognize, mitigate and respond to any security incident and should review their incident management processes in order to assure that they have the capabilities to act as required. Under the GDPR certain breaches must be reported within 72 hours to the relevant regulator (in Finland the Office of the Data Protection Ombudsman) and/or data subjects without undue delay. Employers should also communicate to their employees that any data breach must immediately be reported to the employer. Additionally, employees should also be educated to identify data breaches since data breaches are not always obvious, may come in many different forms and can be a result of both accidental and deliberate causes.
Employers should also remember the GDPR requirement that controllers (employers) must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. This documentation may retrospectively be examined by the regulator should the regulator undertake any regulatory investigations of the data breach.