DATA PROTECTION AND HOME OFFICE
Following the Covid-19 disease pandemic, many employers have decided to allow their employees to work from home. With today's technological solutions, most employees can execute business processes from the comfort of their home as efficiently as from the office, which necessarily implies access to data stored in the internal system of a particular company. Although it opens up various possibilities, appropriate measures need to be taken so that the home office does not become a risk to the protection of personal data and trade secrets.
Pursuant to the General Data Protection Regulation (GDPR), the executor and the controller of personal data processing are obliged to implement appropriate technical and organizational measures to ensure an appropriate level of data security with regard to risk. Changed data processing circumstances, such as working from home, entail a change in the type and level of data protection risk. Therefore, in accordance with the requirements of the GDPR, it is first necessary to make an assessment of the appropriate level of risk, which will take into account the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of personal data or unauthorized access to personal data, regarding to work of employees from home. In order to ensure that measures taken to protect the health of employees do not jeopardize data security, it is possible to adjust business processes by taking the following additional steps:
|
CHOOSE A SECURE METHOD OF REMOTE ACCESS |
|
|
|
Whether remote access is via VPN (virtual private network) or using special software (eg Teamviewer, Anydesk, etc.), it is important that the chosen solution includes technology that guarantees secure remote connection of users to the office internal network via a secure connection. It is recommended to avoid data transmission via public networks as it significantly increases the risk of unauthorized access to data. |
|
INSTALL ANTIVIRUS PROGRAM ON EACH DEVICE |
|
|
|
Many employees use their own computers, smartphones and tablets to work from home. As they access and process protected data via personal devices, it is necessary that these devices are protected by an appropriate antivirus program, as well as computers in office premises. This reduces the risk of destruction or unauthorized access to data.
|
|
USE ENCRYPTION |
|
Encryption is one of the technical data protection measures explicitly prescribed by the GDPR. Data is particularly at risk when transmitted over a network (Internet), so encryption is an additional guarantee that will prevent unauthorized access to their content even in the event of interception of documents. Data that is not transmitted, but only stored in the internal system, is also recommended to be protected by encryption as an additional measure of protection against unauthorized access. |
|
|
|
USE IMPERMEABLE PASSWORDS |
|
|
|
It is recommended that each employee or device has its own password, different from those used by other employees. In addition to making unauthorized access "from outside" more difficult, this also ensures that certain data can only be accessed by those employees who are authorized to do so. It is important to use stronger passwords to access user accounts and protected files and to change them periodically for an extra level of security.
|
|
DO NOT DOWNLOAD DATA TO PRIVATE DEVICES |
|
|
|
If a secure connection provides remote access to an office computer, then there is no real need to download data to a laptop at home, and the same certainly poses a risk to data protection. Namely, private devices of employees that are not used exclusively for business purposes, often have a lower level of security and lower quality technological solutions for data protection. Also, the data stored on the home device usually does not have a "back up", while when working on an office computer (either directly or remotely) the internal server regularly (daily or as needed) makes backups that are protected from unauthorized access, loss or destruction in the event of an attack or accident. |
|
DO NOT SEND DATA TO PRIVATE E-MAIL |
|
|
|
As already pointed out, data is generally most at risk when transmitted over the Internet. The same is true for employee private email as it is for private devices. Official office e-mail is generally protected by strong passwords that are changed periodically, and often domains that provide a higher level of privacy and security for users are used, as opposed to the usual e-mail providers used by most people for private purposes. |
|
REPORT ANY BREACH OF DATA |
|
|
|
Despite all measures taken, unauthorized access, loss or destruction of data can still occur, for example if the device is infected with a virus or lost, an unauthorized person intercepts data, etc. In this case, the manager must notify the Personal Data Protection Agency within 72 hours, unless it is unlikely that the breach will pose a risk to the rights and freedoms of individuals. In the event that a breach is likely to pose a high risk to rights and freedoms, respondents should also be notified without delay. Also, all reasonable measures should be taken without delay to try to mitigate the potential consequences of the injury. |
|
AVOID THE USE OF PUBLIC NETWORKS |
|
|
|
The use of public networks (such as libraries, hotels, cafes) to access and process protected data significantly increases the risk of data breaches, as the public network can be accessed by an unlimited number of users, and the level of security it often provides is not nearly equal to internal network security. |
|
|
When organizing meetings through online services such as Skype, Zoom and others, it is advisable to inform yourself about the privacy policy and data protection rules of these applications before using them. If there is any doubt about the compliance of the software with the GDPR, then it is necessary to inquire about other options and choose the option that poses the least risk to the data of all participants, whenever possible. At each meeting, lecture or workshop (webinars) the facilitator is obliged to inform all participants about what personal data will be stored or visible to others (name, location, mobile phone number, etc.) and provide all other information prescribed by the GDPR (data on the manager, purpose and duration of processing, rights of respondents,…). This information can be provided to participants with an invitation to participate, through a link that will be provided to all when joining the online seminar, etc. Since some online platforms allow you to record meetings, any recording must be notified to each participant.
|
EDUCATE EMPLOYEES AND CONFORM INTERNAL ACTS |
|
|
Each head of data processing should, through authorized persons, inform all employees about appropriate measures for safe work from home, educate them on how to apply them, and, if necessary, help them establish additional protection systems. If the internal acts do not already regulate the additional steps to be taken in special circumstances, it is necessary to harmonize the regulations and records with the new way of working.
As always, harmonization of business with GDPR is achieved in different ways depending on the type of business, categories of data being processed, participants in the processing process, etc. But what is common to all is the fact that the harmonization of business processes with protection requirements data process that never ends, that is, it is necessary to continuously adapt to current changes and risks, such as working from home - currently a necessity for many, but also a generally growing trend among employers.
For more information contact us at:
Tel: 01/4862-690
E-mail: odvjetnicko.drustvo@owens-houska.hr