As many organisations adjust their business operations as a result of the COVID-19 pandemic, network and data security are in the spotlight.  The significant increase in remote working, brings unique challenges and organisations must remain mindful of their legal obligations to keep personal data secure.  In particular, the EU General Data Protection Regulation (“GDPR”) imposes a general obligation upon data controllers and processors to ensure the security of data processing against accidental or unlawful loss, damage, destruction, alteration or disclosure.

Controllers and processors must have in place appropriate technical and organisational measures to ensure a level of security for personal data that is commensurate to the risk associated with data processing.  This is not a static analysis, but something to be kept under review as circumstances change.  The mass shift to remote working has inevitably changed the risk profile of certain data processing activities.  Set out below is a summary of important considerations from a data security standpoint, taking into account the GDPR’s requirements as well as guidance from data protection supervisory authorities in the UK, France, Belgium, Germany and Italy.

I. Business As Usual – Security and Compliance “Must Haves”

1.      System Security Updates
  • Remote working should not mean that business as usual procedures are forgotten.
  • Organisations should ensure that employees have updated their machines with appropriate anti-virus software and firewalls, and that the latest security patches are downloaded as soon as they are made available.
2.      Network Limitations
  • Ensure that appropriate limitations are in place across your network, including limitations on internet access, through blocking non-essential services that invite security vulnerabilities (for example, file sharing websites).
3.      IT Expertise
  • Managing risk, detecting and mitigating security issues, training staff and responding to questions and challenges will largely fall to an organisation’s IT team.
  • Organisations should ensure they have appropriate expertise within their business and that IT security experts have the necessary resources available to respond to new challenges.
4.      Vetting Vendors
  • Due diligence of service providers (including “data processors”) is a must.  Organisations should ensure that all third party providers have been vetted against internal security standards, robust contractual agreements are in place in compliance with the GDPR, and internal recordkeeping memorializes that such due diligence was undertaken.

II. Mass Remote Working – Addressing New Challenges

1.      GDPR Data Processing Impact Assessment (DPIA)
  • Remote working may move data processing into the “high risk” category, giving rise to a DPIA requirement under the GDPR.
  • Whether or not the legal threshold is met, DPIAs can be a helpful way to identify and mitigate risks and ensure that security procedures remain effective in the remote working context.  The DPIA process can also help organisations to meet the GDPR’s    “accountability” requirement.
  • Organisations processing health data as a result of the COVID-19 pandemic should also consider carrying out a DPIA.
2.      Update Remote Working Policies
  • It may also be the right time for organisations to revisit their remote working policies, which were probably not designed with prolonged, mass remote working in mind.
  • New rules for employees should be considered including the expected standard of security for their home work stations, information and data confidentiality, hard copy and electronic file destruction, and appropriate device usage, for example.
  • Employees must clearly understand the consequences of a data incident and should be informed of when, where and how they must report any such incident (e.g., data breach or data loss).
  • Employees should also be alerted to their employer’s rights and duties in relation to monitoring of employees’ compliance with policies and security requirements (including the employer’s ability to remotely access and delete data, for example; see section III(4) below for more information).
3.      Mitigating Remote Login Vulnerabilities
  • Use a VPN: a Virtual Private Network (VPN) enables a user to securely log-in to an organisation’s private, internal systems remotely.  Data sent through a VPN is encrypted and unreadable if intercepted by an unauthorised third party.
  • Use two-factor authentication: passwords alone are easy to hack. To access the VPN, employees should be required to use a two-factor authentication process (i.e., two layers of security confirmation).  For example, a password combined with submission of a code that has been sent to a secondary device (such as a mobile telephone, via SMS).
  • Force password changes regularly: employees should be required to use complex, unique passwords (i.e., not common words, dates or identifying information).  Regularly require employees to change their passwords, to reduce the likelihood of them being guessed by a hacker.
4.      Phishing Training
  • Can your employees spot a phishing email and report it quickly?
  • Employees will be receiving a high volume of email traffic at this time and bad actors may be looking for opportunities to take advantage of unsuspecting employees.  Training on how to spot scam emails should be prioritised.
  • Consider creating procedures for employees with access to payroll, accounting and other critical systems to confirm instructions and requests have been properly authorized.
5.      Document Management and File Transfers
  • New working from home policies should include rules of the road for saving, deleting and transferring electronic files.
  • Employees should be instructed not to save any work-related documents locally if they are operating on a shared machine and to ensure thorough deletion of files on shared machine, including deleting documents from the “downloads” folder and from the device’s recycle bin.
  • Employees should be given instructions on how to use secure file transfer mechanisms (e.g., Transport Layer Security (TLS) protocols) when sharing sensitive data online.  Any unauthorised interception of files sent through a correctly functioning TLS system will render the contents of the files unreadable.
6.      Remote Access and Erasure
  • Ensure employee devices are appropriately linked to the organisation’s network so that, where necessary (for example, in the event that it is discovered that an employee’s device is compromised or where an employee is incapacitated) the hard drive can be wiped remotely or data can be accessed to allow an employee’s functions to be carried out by a third party.
7.      Video and Tele-conferencing
  • Ensure that video and tele-conferencing services are secure (popular communications apps may be vulnerable to digital eavesdroppers – employees should be required to use only pre-approved service providers).  Organisations may want to consult the Dutch data protection supervisory authority’s comparison of videoconferencing tools. An unofficial translation can be found here.[1]
  • As mentioned above, appropriate due diligence should be undertaken when selecting vendors and a DPIA may be appropriate in some cases.

III. Bring Your Own Device (BYOD)

1.      BYOD – Pros and Cons
  • Allowing employees to use their own devices is a helpful and efficient remote working solution.
  • However, organisations are likely to be considered responsible for personal data processing undertaken by an employee in the course of their employment.  Allowing an employee to use their own device for this purpose, therefore, enhances the data processing risk and organisations must ensure that such personal devices (and the means through which they access the network) are secure.
  • With BYOD, the employer/data controller has less control and therefore must takes steps to mitigate the blurring of personal and business use of data, data leakage, departing employees, and loss/theft of devices.
2.      BYOD Policy
  • Employees’ use of personal equipment should be subject to the prior approval of the network administrator, as well as BYOD and acceptable use policies (which should be as robust as policies imposed on the use of corporate devices).
  • Provide for strict password and authentication requirements (golden rules: (i) use a combinations of letters, numbers and symbols; (ii) change your password every 28 days; (iii) ignore automatically-generated “save your password” messages; (iv) two-factor authentication for access to the organisation’s network).
  • Set out appropriate limitations for data processing in the BYOD context (for example, it may not be appropriate to authorise the use of an employee’s personal device for the collection and processing of sensitive data such as health information).
  • Include controls on device use by third parties (such as family members).  Require automatic locking of devices after a period of inactivity.
  • Clearly identify where data should be stored (can the employee save data to their device, or should it be uploaded to the network with any copies being deleted?).  Provide clear instructions regarding how the employee should segregate personal content and device usage, so that employers can safely monitor business related use of the same device.
  • Require the use of apps to ring-fence certain data processing activities (subject to appropriate security features being present).
  • Set out data erasure protocols to avoid the device being sold or transferred to a third party with business information stored on it.
  • Explain that the organisation will maintain the ability to remotely access and delete data from the device (for example, to delete data in the event that the employee reports a device lost or stolen or to access data in the event that an employee is incapacitated and cannot perform their functions).
  • Require that home Wi-Fi passwords should be changed regularly.
  • Require employees to alert the network administrator in the event of any actual or suspected security incident or breach, and set out the procedure for access to the personal device by the organisation to mitigate the impact of such breach.
3.      Securing Data Transfers
  • BYOD arrangements will involve the transfer of data between the employee’s device and the corporate network.
  • To reduce risks associated with such transfers consider permitting data transfers only via encrypted channels such as VPNs and via TLS, prohibit the use of cloud-based data sharing or public backup services, and take appropriate measures to monitor data transfers for the purpose of spotting unauthorised interception of data (see below for information on monitoring and employee rights).
4.      Monitoring and Employee Rights
  • As noted above, it may be necessary for security and compliance reasons to monitor data processing activities in connection with BYOD arrangements (and remote working arrangements more generally). However, any such monitoring must be carefully balanced with employees’ rights and must take into consideration relevant national restrictions.[2]
  • Monitoring must be proportionate and focus on specific, legitimate purposes (such as network and data security or compliance with internal policies for the security of corporate assets).
  • Where employees are using their own devices, monitoring parameters must carefully take into account employees’ personal use of the device.
  • Employees should be fully informed about monitoring as well as the ability of the organisation to wipe data remotely and limit device and app access remotely.
  • Equally, organisations may want to audit device usage to check what business data has been accessed and stored by employees, ensure that security measures are still in place and functioning correctly, and monitor employees’ compliance with internal policies.  Such audit should be fully explained to, and undertaken with the cooperation of, the employee.

 


[1] Reproduced with thanks to Christopher Schmidt CIPP⁄E CIPM CIPT CBSA (https://twitter.com/PiracyByDesign)

[2] In some European jurisdictions, monitoring of employees behaviour should be undertaken only following consultation with the employees’ representatives, with the consent of trade unions, or following conclusion of an agreement between a union and the employer.