The Coronavirus pandemic has caused a shift in the paradigm of modern-day workplaces. Companies across the globe have seen a rapid and widespread shift to remote work, making compliance with the GDPR harder than ever. The Federal Office of Information Security (BSI), in its recent report on the ‘State of IT Security in Germany 2020’, expressed its concern and indicated a ‘tense situation’ for data protection in the country. Arne Schönbohm, president of the BSI, emphasized last week on the importance of ensuring that mobile workstations in the “new normal” must be sustainable and secure. Since the BSI does not make explicit recommendations, the question what concrete steps companies must take to ensure data protection and data security when permitting their employees to work remotely still stands.
GDPR Art. 32 requires companies that process personal data to implement appropriate technical and organizational measures to ensure a level security appropriate to the potential risks of the data processing. This must be done by taking into account the state of the art, implementation costs and the nature, scope, context and purposes of processing as well as the probability and severity of the risks to the rights and freedoms of natural persons. This requirement also and particularly applies to companies whose employees work remotely. Suitable technical and organizational measures must be implemented to counter the distinctive risks that remote work poses. In this respect, it is worth noting that supervisory authorities have historically been critical in their views regarding mobile working. For instance, in 2017 the Federal Data Protection Commissioner expressed the view that in cases of contract data processing (Auftragsverarbeitung), the data processor should not, in principle, be permitted to telework because the security risk posed by this form of data processing is high and opportunities for responsible authorities to impose measures of control are limited.
The Bavarian Data Protection Authority (BayLDA) has published on its website, a checklist that allows companies to self-assess conformity with data protection regulations when employees are working remotely. By no means are these measures meant to be exhaustive, but rather represent a best-practice approach. The decision to implement specific measures should be made individually on a case-by-case basis. As a general rule of thumb, the work environment in remote offices should be designed in a manner that ensures the confidentiality and availability of data. Employees must be instructed to make use of solely those devices that are provided by the employer. The use of private devices should remain the exception, and if private devices are nevertheless used for official purposes, it must be ensured that no business data is stored on them permanently. Regardless of the device used, the connection to the company network should always be made using state-of-the-art encrypted VPN connections. Further, the use of a two-factor authentication and password is recommended. All company data should be processed and stored exclusively on company networks. Handling of all paper documents should be minimized as far as possible. Moreover, automatic security updates should be provided to ensure that all programs, tools and security systems are up to date. Finally, employees should be made aware of the unique data protection risks of mobile work and trained accordingly.
It is the responsibility of employers to regularly check and ensure the employee’s compliance with these measures. In this context, as well as in the case of introduction of remote work in a company, the involvement of the works council must be taken into consideration where appropriate.
Furthermore, it should be noted with regard to any existing cyber insurance that the increased use of mobile work may constitute an increase in risks which needs to be notified.
Companies have been confronted with the key question of how to maintain the ability to work while ensuring data security in the wake of drastic measures to contain the pandemic. In light of this, it must be noted that supervisory authorities have consistently maintained their focus on ensuring the security and integrity of data processing by means of appropriate technical and organizational measures. This is demonstrated by the numerous fine proceedings in the last two years, in which the authorities have imposed fines, in some cases, worth millions because of inadequate technical and organizational measures.
Companies that allow their employees to work from home and/or remotely must therefore take suitable technical and organizational measures to counter the special risks that this may pose. To reiterate, employees should be regularly made aware of the special data protection risks of mobile work and should be trained accordingly. The employer must regularly check that employees comply with these measures. It can be assumed that the pandemic will have a lasting impact on the way companies and institutions operate. The current changes should be taken as an opportunity to initiate strategic and organizational transformations with regards to data security in the home office.