Considerations for a remote Work Policy under GDPR
When it came into effect in May 2018, the General Data Protection Regulation (GDPR) required any organisation doing business with European citizens to make significant changes to its data processes. In the first year of GDPR being law, it undoubtedly brought a new level of data hygiene to enterprises. Driven by the regulation, organisations across the globe went through the painful and often costly exercise of ensuring they had an overview of personal information in use, and more importantly, had implemented tools to be able to process and store that data in a secure manner.
Just as we recently hit the two year anniversary of this important milestone in data management, the coronavirus crisis has forced organisations to face the daunting task of most likely having to revisit their initial efforts, as the “new normal” of social distancing guidelines have forced huge parts of the workforce to stay at home and work remotely, and turned most of their customer communications digital.
Data protection principles in unprecedented circumstances
Personal data can only be gathered under strict conditions and for legitimate purposes. Those organisations who collect and manage people’s personal information must protect it from misuse and must respect their rights at all times – and employees working remotely are no exceptions. The regulation links data protection, data privacy and information security, and sets out six interlinked principles. These principles highlight the importance of having an organisation assign stakeholders who understand the ‘why and what’ of data collection and retention:
- An organisation has to ensure that personal data is processed lawfully, fairly and transparently;
- Personal data can only be collected for specified, explicit and legitimate purposes;
- The use of personal data needs to be adequate, relevant and limited to what is necessary in relation to the purpose(s) for which the data is being processed;
- Organisations have to ensure thatdata is accurate and, where necessary, kept up to date;
- Data must not be kept for longer than necessary;
- Personal data needs to be processed in a manner that ensures the appropriate security of this information, including protection against unauthorised or unlawful data processing and against accidental loss, destruction or damage.
Any organisations that already had processes and policies in place for remote working with personal data are counting themselves lucky under the current circumstances. They are in the enviable position of merely ensuring those policies and rules are in use by all their staff working from home. However, those organisations that have only had an onsite workforce, or limited flexible working may have to open up their records of processing activities and each of their data protection impact assessments (DPIA) to see if working from home has an impact or changes the level of risk.
Core to compliance with GDPR is due diligence. The requirements are two-fold: assessing the different infrastructure and systems staff use when working from home, and having an understanding of whether sensitive data is flowing unprotected through networks. Is data handled differently to when employees are working at the office? It is the organisation’s responsibility to ensure that the appropriate controls are in place when personal information is accessed or processed from a home environment, as much as it was from the office. As a Data Privacy Impact Assessment (DPIA) has to identify and analyse how data privacy might be affected by the differing actions or activities when working from home, companies are obliged to ensure appropriate controls are in place depending on the sensitivity of that data.
Reopening Data Privacy Impact Assessments
A Data Privacy Impact Assessment (DPIAs) is a process to identify data protection and privacy risk and address them accordingly. Under GDPR, where processing operations present specific risks to (in effect) individuals’ privacy rights due to their nature, scope or purposes, controllers, or processors acting on the controller’s behalf, an organisation must carry out an assessment of the impact of the proposed processing operations on the protection of personal data.
It is important to point out that performing a DPIA is an ongoing process and as any project develops or a new situation arises, new risks might be identified and equally ways to avoid risk have to be found. When an organisation is conducting a material change to an existing system or process – as might be the case when employees work from home – it is time to revisit the DPIAs and check whether the new situation and processes are already covered or need to be extended.
When organisations were first confronted with a new set of data privacy and security regulations more than two years ago, many were forced to quickly implement state of the art security tools to keep data secure. However, at that time, the focus of that initial exercise was most likely limited to office boundaries. Keeping sensitive data safe while working from home is now proving to be a challenge that can introduce additional risks to sensitive data.
Data privacy and working from home
With the global COVID-19 situation forcing all members of a household to stay at home wherever possible, each individual environment has to be evaluated. What does the workplace look like when working from home? Is there even a physical office available, or a cupboard or closet that can be locked in order to guarantee privacy of data and devices? And more importantly, for families with children, is the technical device used for work exclusively used for work purposes? It’s all too tempting to allow the family to use a laptop once in a while just for some peace and quiet, or to use it for casual private browsing for stressed parents. On the other hand, security risks can be introduced in the opposite way – if private devices that might not be equipped with security tools are used for work.
Thanks to modern technology, there is no doubt that employees can stay productive while out of the office. However, it needs to be ensured that the private work environment keeps any accessed and processed data as secure as in a corporate office. Organisations are therefore having to revisit their security posture to provide a safe remote working experience that prevents data breaches. Not only should they address vulnerabilities to their own networks and the physical storage of data, they will have to face the fact that most remote workers will have to move data between the corporate network, the cloud and the personal laptop. To protect personal data in transit from one location to another, GDPR suggests encryption to protect privacy and security and prevent leakage.
The CISO lens on GDPR is comparatively easy, as once information has been identified and classified as ‘personal data’, the security function needs to ensure that the processing of information is carried out in an appropriate way. The term ‘secure’ is subjective but the security function should ensure a standard set of controls commensurate with the sensitivity of information. As GDPR puts it, it’s all about ensuring a level of security appropriate to the risk.
Taking privacy by design into consideration
GDPR has introduced a new concept called data protection by design and default. In simple terms this means that from the very start of activities touching on data processing privacy issues must be addressed.
In more technical terms, GDPR says that a data controller must at the time of the determination of the means for processing and at the time of the processing itself implement appropriate technical and organisational measures based on:
- the cost of implementation
- the nature, scope, context and purposes of processing,
- the risks that may be faced by individuals, posed by the processing in question
Taking the working from home situation into account, controllers will have to implement appropriate measures to ensure that, by default, only personal data which is needed for each specific purpose of the processing is processed. This will encompass the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. The measures must also ensure that by default personal data are not made accessible without an individual’s prior consent.
The IT security function can help here by ensuring that organisational project processes are in line with a remote work policy.
Five considerations for a remote working policy
Not all of an organisation’s employers will be accessing sensitive personal information while they are working from home. It is not a set of blanket changes required for the whole organisation, it’s more granular than that. First and foremost, an organisation has to figure out which employees are dealing with sensitive information.
Step 1: Reopen your DPIA to figure out where a remote policy needs to be applied
A first consideration for a remote working policy is to figure out where you need to apply this policy. That means a DPIA has to be reopened to understand the impact of the new environment of remote working. During this process organisations gain insight into which employees do access sensitive personal information while working from home, and subsequently create categories for the remote workforce.
Step 2: What are the home office physical requirements?
Based on the impact of the DPIA, new controls might have to be applied specifically for that category of employees dealing with sensitive information while working remotely. Organisations have to figure out what the home office has to look like for the different categories of remote workers. When you are looking at the physical security of a remote workplace you have to take different measures into account based on the categorisation. That might start with having a separate room at home that can be locked at the very minimum and range up to video surveillance for the highest security category. Again, depending on the categorisation of sensitivity and what the employees are dealing with, organisations might have to consider the ability to lock file storage or even ensure that computing equipment cannot leave the room acting as office within the home.
Step 3: IT security requirement for the home office
Under GDPR personal data has to be kept secure under all circumstances and this is probably the biggest challenge in a remote office scenario to maintain visibility into the data traffic and devices in order to prevent threats. Both data controllers and data processors have to implement appropriate technical and organisational measures to ensure the same level of security in the home office environment as in the corporate office, and that is appropriate to the risk. Remote employees require secure access to the resources they need in the corporate data centre or the cloud. Additionally, some sort of data governance has to be applied to make sure that the data stays where it is supposed to stay and is not copied locally.
Step 4: User awareness of the remote working policy
Organisations have to ensure that their remote employees are aware of the acceptable use policy of an organisation and it is recommended that they remind the workforce of the acceptable use policies (AUPs). This point tends to get neglected most easily, as this goes along with the fact that a device that is used at home is still a working device. Those employees dealing with sensitive information must ensure, that nobody else in the family deals with that PC or laptop.
Step 5: Training employees
Finally, the pandemic situation we have seen recently calls for a rethinking of general security training. As bad actors are using times of uncertainty and fear to spread new malware campaigns, organisations should switch up their security training as well. Open and frequent communication with staff around their security responsibilities is key when staff are not in the corporate office.
Managing data in the new normal – whatever that may be
The only comfort for organisations might be that their efforts in revisiting GDPR compliance will not be in vain. As we emerge from the global pandemic, working from home is predicted to become the new normal and the idea of a remote workforce is permanently here to stay. Even if a large percentage of workers return to the office, the workforce will now be able to enjoy the flexibility of working remotely more than ever before. While GDPR compliance is focused on the protection of privacy, organisations are well advised to maintain control over their personal and sensitive data in all work environments regardless. A remote work policy is now a necessity to manage data and keep it secure as we transition into an as yet unknown new normal.
Marc Lueck
Marc Lueck is a senior security practitioner with over 20 years of experience crossing multiple industry sectors, from financial services to publishing. With a strong technical background, he has spent the past ten years leading security improvement programmes for the likes of Pearson, T-Systems and Symantec. Lueck is also an advisory board member of ClubCISO, a security leadership peer group.