Data protection and data security while working from home
The Corona pandemic is also forcing companies where there is normally no remote working option to let their employees work from home. Now, under high time pressure, companies have to find pragmatic solutions that preserve their ability to work and at the same time Data protection and ensure data security. Many data controllers have not yet issued corresponding regulations and guidelines. It is now necessary to quickly follow suit and to formulate the rules clearly and transparently in order to clarify the rights and obligations of employers and employees.
If an employee works from home, they must observe the same data protection rules as for their office work. The responsibility of the company and thus possibly also the personal liability of the management remains. So they do not end at the company door.
Tips for data protection and data security in the home office: Employers
For the GDPR it does not matter who processes the data and where. The decisive factor is who decides on the purposes and means of data processing. This is regularly the Employers. They should take the following measures:
- Determine which hardware and software may be used in the home office!
- Access to IT systems and computers from the home must be secured with a password.
- Access to the company's systems should only be possible via a VPN. This VPN should be tested for its resilience before a large number of employees access it.
- Ensure that stationary computers and mobile data carriers are encrypted like USB sticks! Employees should also encrypt e-mails sufficiently if they contain sensitive personal data or business secrets.
- Ideally, the employer provides its employees with the IT equipment they need to work in their home office in a data-protection-compliant manner.
- To ensure that data is always available, it should be possible to back up the data remotely to the company. Local storage should be avoided.
- Require employees to report data breaches and other safety-related incidents quickly!
Tips for data protection and data security in the home office: Employees
Employees should observe the following while working from home when processing or accessing personal data there:
- These data may not be viewed by third parties, i.e. not even by relatives or fellow residents. Ideally, personal data should be processed in a separate room and stored in a lockable cabinet. This applies to digital and analogue data.
- IT equipment provided by the employer should not be used privately or by family members.
- If USB sticks are used for storage, you have to use sticks from the employer. This also applies to other data carriers. They must not contain private files.
- Professional e-mails must not be forwarded to private e-mail boxes of colleagues.
- Printouts should be avoided. If you use paper documents, they should not be left lying around openly readable for others.
- The destruction of documents should also be carried out in accordance with data protection rules. Printouts of personal data and other sensitive content must at least be torn into small pieces.
External Data Protection Officer
You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.
Recommendations for data security
Many technical and organisational measures must also be taken for data security from home. Companies should also orient themselves to the catalogues of ISO 27001 or the BSI basic protection in teleworking. The choice of measures should be based on the concrete risk of processing at the respective location. The GDPR bases its risk assessment on the type, scope, circumstances and purposes of processing and on the actual probability of a risk occurring.
Of course, spontaneous solutions for remote working usually cannot fully implement all IT security requirements. In many cases, private hardware, software and network connections are used as an alternative. It is also possible that not all components that companies make available on an ad hoc basis are state-of-the-art in terms of data security. Faster and more stable network connections, the establishment of VPN solutions and the acquisition of suitable hardware often cannot be achieved at short notice.
The BSI recommends some measures to companies that lay the foundation for IT security in mobile working without much effort:
- Make clear and binding regulations in writing regarding IT security and the security of your data and communicate them to all parties involved!
- Ensure clear contact points and communication channels that can be verified by the employees!
Greater danger from phishing
At present, new phishing mails may increasingly appear, which will exploit the current crisis situation and attempt to access sensitive data, for example, with references to remote access, security tips and the resetting of passwords. At their home desks, employees often have to see for themselves, without training, how they cope with new video conferencing software and unfamiliar collaboration platforms. This can also make it easier for phishing perpetrators to deceive.
The BSI lists further tips here: BSI recommendations on the subject of home office
The members of the Federal Association for IT Security (TeleTrusT) provide free IT security solutions including remote consulting for three months: