To print this article, all you need is to be registered or login on Mondaq.com.
As many organisations adjust their business operations as a
result of the COVID-19 pandemic, network and data security are in
the spotlight. The significant increase in remote working, brings
unique challenges and organisations must remain mindful of their
legal obligations to keep personal data secure. In particular, the
EU General Data Protection Regulation ("GDPR")
imposes a general obligation upon data controllers and processors
to ensure the security of data processing against accidental or
unlawful loss, damage, destruction, alteration or disclosure.
Controllers and processors must have in place
appropriate technical and organisational measures to
ensure a level of security for personal data that is commensurate
to the risk associated with data processing. This is not a static
analysis, but something to be kept under review as circumstances
change. The mass shift to remote working has inevitably changed the
risk profile of certain data processing activities. Set out below
is a summary of important considerations from a data security
standpoint, taking into account the GDPR's requirements as well
as guidance from data protection supervisory authorities in the UK,
France, Belgium, Germany and Italy.
I. Business As Usual - Security and Compliance "Must
System Security Updates
- Remote working should not mean that business as usual
procedures are forgotten.
- Organisations should ensure that employees have updated their
machines with appropriate anti-virus software and firewalls, and
that the latest security patches are downloaded as soon as they are
- Ensure that appropriate limitations are in place across your
network, including limitations on internet access, through blocking
non-essential services that invite security vulnerabilities (for
example, file sharing websites).
- Managing risk, detecting and mitigating security issues,
training staff and responding to questions and challenges will
largely fall to an organisation's IT team.
- Organisations should ensure they have appropriate expertise
within their business and that IT security experts have the
necessary resources available to respond to new challenges.
- Due diligence of service providers (including "data
processors") is a must. Organisations should ensure that all
third party providers have been vetted against internal security
standards, robust contractual agreements are in place in compliance
with the GDPR, and internal recordkeeping memorializes that such
due diligence was undertaken.
II. Mass Remote Working - Addressing New Challenges
GDPR Data Processing Impact Assessment (DPIA)
- Remote working may move data processing into the "high
risk" category, giving rise to a DPIA requirement under the
- Whether or not the legal threshold is met, DPIAs can be a
helpful way to identify and mitigate risks and ensure that security
procedures remain effective in the remote working context. The DPIA
process can also help organisations to meet the GDPR's
- Organisations processing health data as a result of the
COVID-19 pandemic should also consider carrying out a DPIA.
Update Remote Working Policies
- It may also be the right time for organisations to revisit
their remote working policies, which were probably not designed
with prolonged, mass remote working in mind.
- New rules for employees should be considered including the
expected standard of security for their home work stations,
information and data confidentiality, hard copy and electronic file
destruction, and appropriate device usage, for example.
- Employees must clearly understand the consequences of a data
incident and should be informed of when, where and how they must
report any such incident (e.g., data breach or data loss).
- Employees should also be alerted to their employer's rights
and duties in relation to monitoring of employees' compliance
with policies and security requirements (including the
employer's ability to remotely access and delete data, for
example; see section III(4) below for more
Mitigating Remote Login Vulnerabilities
- Use a VPN: a Virtual Private Network (VPN) enables a
user to securely log-in to an organisation's private, internal
systems remotely. Data sent through a VPN is encrypted and
unreadable if intercepted by an unauthorised third party.
- Use two-factor authentication: passwords alone are
easy to hack. To access the VPN, employees should be required to
use a two-factor authentication process (i.e., two layers of
security confirmation). For example, a password combined with
submission of a code that has been sent to a secondary device (such
as a mobile telephone, via SMS).
- Force password changes regularly: employees should be
required to use complex, unique passwords (i.e., not common words,
dates or identifying information). Regularly require employees to
change their passwords, to reduce the likelihood of them being
guessed by a hacker.
- Can your employees spot a phishing email and report it
- Employees will be receiving a high volume of email traffic at
this time and bad actors may be looking for opportunities to take
advantage of unsuspecting employees. Training on how to spot scam
emails should be prioritised.
- Consider creating procedures for employees with access to
payroll, accounting and other critical systems to confirm
instructions and requests have been properly authorized.
Document Management and File Transfers
- New working from home policies should include rules of the road
for saving, deleting and transferring electronic files.
- Employees should be instructed not to save any work-related
documents locally if they are operating on a shared machine and to
ensure thorough deletion of files on shared machine, including
deleting documents from the "downloads" folder and from
the device's recycle bin.
- Employees should be given instructions on how to use secure
file transfer mechanisms (e.g., Transport Layer Security (TLS)
protocols) when sharing sensitive data online. Any unauthorised
interception of files sent through a correctly functioning TLS
system will render the contents of the files unreadable.
Remote Access and Erasure
- Ensure employee devices are appropriately linked to the
organisation's network so that, where necessary (for example,
in the event that it is discovered that an employee's device is
compromised or where an employee is incapacitated) the hard drive
can be wiped remotely or data can be accessed to allow an
employee's functions to be carried out by a third party.
Video and Tele-conferencing
- Ensure that video and tele-conferencing services are secure
(popular communications apps may be vulnerable to digital
eavesdroppers - employees should be required to use only
pre-approved service providers). Organisations may want to consult
the Dutch data protection supervisory authority's comparison of
videoconferencing tools. An unofficial translation can be found here.1
- As mentioned above, appropriate due diligence should be
undertaken when selecting vendors and a DPIA may be appropriate in
III. Bring Your Own Device (BYOD)
BYOD - Pros and Cons
- Allowing employees to use their own devices is a helpful and
efficient remote working solution.
- However, organisations are likely to be considered responsible
for personal data processing undertaken by an employee in the
course of their employment. Allowing an employee to use their own
device for this purpose, therefore, enhances the data processing
risk and organisations must ensure that such personal devices (and
the means through which they access the network) are secure.
- With BYOD, the employer/data controller has less control and
therefore must takes steps to mitigate the blurring of personal and
business use of data, data leakage, departing employees, and
loss/theft of devices.
- Employees' use of personal equipment should be subject to
the prior approval of the network administrator, as well as BYOD
and acceptable use policies (which should be as robust as policies
imposed on the use of corporate devices).
- Provide for strict password and authentication requirements
(golden rules: (i) use a combinations of letters, numbers and
symbols; (ii) change your password every 28 days; (iii) ignore
automatically-generated "save your password" messages;
(iv) two-factor authentication for access to the organisation's
- Set out appropriate limitations for data processing in the BYOD
context (for example, it may not be appropriate to authorise the
use of an employee's personal device for the collection and
processing of sensitive data such as health information).
- Include controls on device use by third parties (such as family
members). Require automatic locking of devices after a period of
- Clearly identify where data should be stored (can the employee
save data to their device, or should it be uploaded to the network
with any copies being deleted?). Provide clear instructions
regarding how the employee should segregate personal content and
device usage, so that employers can safely monitor business related
use of the same device.
- Require the use of apps to ring-fence certain data processing
activities (subject to appropriate security features being
- Set out data erasure protocols to avoid the device being sold
or transferred to a third party with business information stored on
- Explain that the organisation will maintain the ability to
remotely access and delete data from the device (for example, to
delete data in the event that the employee reports a device lost or
stolen or to access data in the event that an employee is
incapacitated and cannot perform their functions).
- Require that home Wi-Fi passwords should be changed
- Require employees to alert the network administrator in the
event of any actual or suspected security incident or breach, and
set out the procedure for access to the personal device by the
organisation to mitigate the impact of such breach.
Securing Data Transfers
- BYOD arrangements will involve the transfer of data between the
employee's device and the corporate network.
- To reduce risks associated with such transfers consider
permitting data transfers only via encrypted channels such as VPNs
and via TLS, prohibit the use of cloud-based data sharing or public
backup services, and take appropriate measures to monitor data
transfers for the purpose of spotting unauthorised interception of
data (see below for information on monitoring and employee
Monitoring and Employee Rights
- As noted above, it may be necessary for security and compliance
reasons to monitor data processing activities in connection with
BYOD arrangements (and remote working arrangements more generally).
However, any such monitoring must be carefully balanced with
employees' rights and must take into consideration relevant
- Monitoring must be proportionate and focus on specific,
legitimate purposes (such as network and data security or
compliance with internal policies for the security of corporate
- Where employees are using their own devices, monitoring
parameters must carefully take into account employees' personal
use of the device.
- Employees should be fully informed about monitoring as well as
the ability of the organisation to wipe data remotely and limit
device and app access remotely.
- Equally, organisations may want to audit device usage to check
what business data has been accessed and stored by employees,
ensure that security measures are still in place and functioning
correctly, and monitor employees' compliance with internal
policies. Such audit should be fully explained to, and undertaken
with the cooperation of, the employee.
Reproduced with thanks to Christopher Schmidt CIPP?E CIPM CIPT CBSA
some European jurisdictions, monitoring of employees behaviour
should be undertaken only following consultation with the
employees' representatives, with the consent of trade unions,
or following conclusion of an agreement between a union and the
Article originally published on 30 April 2020
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States