As many organisations adjust their business operations as a result of the COVID-19 pandemic, network and data security are in the spotlight. The significant increase in remote working, brings unique challenges and organisations must remain mindful of their legal obligations to keep personal data secure. In particular, the EU General Data Protection Regulation (“GDPR”) imposes a general obligation upon data controllers and processors to ensure the security of data processing against accidental or unlawful loss, damage, destruction, alteration or disclosure.
Controllers and processors must have in place appropriate technical and organisational measures to ensure a level of security for personal data that is commensurate to the risk associated with data processing. This is not a static analysis, but something to be kept under review as circumstances change. The mass shift to remote working has inevitably changed the risk profile of certain data processing activities. Set out below is a summary of important considerations from a data security standpoint, taking into account the GDPR’s requirements as well as guidance from data protection supervisory authorities in the UK, France, Belgium, Germany and Italy.
I. Business As Usual – Security and Compliance “Must Haves”
1. System Security Updates |
|
2. Network Limitations |
|
3. IT Expertise |
|
4. Vetting Vendors |
|
II. Mass Remote Working – Addressing New Challenges
1. GDPR Data Processing Impact Assessment (DPIA) |
|
2. Update Remote Working Policies |
|
3. Mitigating Remote Login Vulnerabilities |
|
4. Phishing Training |
|
5. Document Management and File Transfers |
|
6. Remote Access and Erasure |
|
7. Video and Tele-conferencing |
|
III. Bring Your Own Device (BYOD)
1. BYOD – Pros and Cons |
|
2. BYOD Policy |
|
3. Securing Data Transfers |
|
4. Monitoring and Employee Rights |
|
[1] Reproduced with thanks to Christopher Schmidt CIPP⁄E CIPM CIPT CBSA (https://twitter.com/PiracyByDesign)
[2] In some European jurisdictions, monitoring of employees behaviour should be undertaken only following consultation with the employees’ representatives, with the consent of trade unions, or following conclusion of an agreement between a union and the employer.