Working from home is not only a hot topic in the media, but it’s part of the everyday lives of millions of employees. However, if you were to look for this term in the official data privacy regulations, you would be searching in vain. Many laws still refer to a slightly outdated term: “teleworking”.
After the outbreak of the coronavirus pandemic in March 2020 caused thousands of small, medium-sized and large companies to send their staff home to work remotely, with practically no time to prepare, the issue of data privacy for them is now even more pressing. Here, we have compiled our most important recommendations for compliance and data privacy while your employees are working from home.
In this article
- Company responsibility for data privacy at home
- Utilize data protection agreements
- Separate work and private life
- Encrypt data and set up passwords
- Avoid data clutter
- Have a clean desk
- Set the right standard
- Maintain control
- Report incidents
Company responsibility for data privacy at home
Important to know: The responsibility for data privacy is that of the company itself, and sometimes one person in the case of sole traders. You cannot delegate this responsibility by enabling staff to work from home. If there is a data breach as a result, you must bear the consequences.
Therefore, it’s crucial to be aware of which data is considered particularly sensitive in accordance with the General Data Protection Regulation (GDPR). This includes health data, biometric data, details about religious persuasion, and ethnic background. The more sensitive the data, the greater the need for protection. For the highest degree of confidentiality, it is important to also take precautions when working from home.
Already curious on how to maintain privacy in the home office? Feel free to reach out to our experts who would love to give you a free consultation on this and other topics in the data privacy field.
Here are 8 ways companies can ensure their employees are taking the proper measures to protect sensitive data while working from home.
1. Utilize data protection agreements
Ideally, employers should already have entered into a written policy agreement with their employees regarding working from home, before they spend their first working day outside the office. The second-best time is now, because after all, it is better late than never.
Such an agreement, signed by both parties, should not be a standard template from the internet, but should be individually tailored to the situation of the company, and it should inform employees about their obligations. In any case, it should include a confidentiality policy which also applies to other members of the household, if the workstation is not clearly separated from the rest of the home.
2. Separate work and private life
Depending on the circumstances, the best solution for employees working from home is their own lockable office. If this is not possible, the screen at least should be protected against prying eyes. Privacy filters and films are an option in this case.
Software and hardware, such as laptops and common office programs, should also be provided entirely by the employer. This way, the work computer will only be used for work purposes, and private use will only take place outside of working hours. Of course, confidential phone calls cannot be made in the presence of third parties.
3. Encrypt data and set up passwords
Encryption at home starts with your internet connection. For example, an open WiFi connection is more convenient, but a LAN network is considerably more secure. If plugging in the cable is bothersome, you can take comfort in the fact that a LAN connection should also be faster. There are now various encrypted messenger services for internal company communications. However, the hard drive on the work computer itself should also be encrypted, and after being inactive for a maximum of ten minutes, the screen should lock automatically.
Two-factor authentication upon login also offers additional security. This is where a smartphone, for instance, is used as a second, independent device. USB sticks that have been left lying around are not just a major data privacy risk in the home office. If this cannot be avoided, encryption is also an option. Ultimately, it might be worth blocking USB ports completely for external storage.
A Guide to GDPR after Brexit
Do you already know how and what to handle in terms of GDPR after the Brexit? Take this information with you - be prepared for these changes and download our detailed whitepaper. Also includes the different scenarios that could occur so you know what to expect.
4. Avoid data clutter
What is good for the environment is also good for data privacy, and preventing waste is better than separating waste. In other words, avoid data clutter. Data clutter encompasses any unnecessary files and copies on other data carriers – personal data should be processed as little as possible, as mandated by the GDPR.
However, waste in a direct sense also includes unnecessary paper printouts. Under no circumstances should they be put in the wastepaper bin at home! When paper copies are produced, they should be stored in a lockable cabinet and shredded in the office at the earliest opportunity.
5. Have a clean deskIf the desk is tidy, the work is tidy. What applies in the office is also sensible advice to follow at home: employees should follow the clean desk policy and clear their desks when they finish work, so that they can start the following morning without having to dig out their laptops from underneath mountains of paper.
Leaving printouts with sensitive data lying around is also completely out of the question. Even if you are away from your desk for just a short period of time, they belong in a locked cabinet.
6. Set the right standard
Due to the outbreak of COVID-19, the global crisis has also caused standards to slip in terms of data privacy. Governments, supervisory authorities, employers and employees have been forced to improvise, and what seemed unimaginable yesterday is now something of a reality.
However, even if parameters have shifted because of the crisis, this is by no means ‘carte blanche’ to brush data privacy aside. Instead, it must be evaluated, and new standards must be set.
When it comes to the question of whether an employee has visited high-risk areas during their time off work, the employer’s duty of care towards its staff may weigh more heavily than data privacy. In times of crisis, the following basic rule applies: all measures that infringe other rights are to be promptly taken care of.
7. Maintain control
Working from home requires a certain leap of faith on the part of the employer, and experience shows that this trust is very rarely betrayed. Pedantic check-up calls make little sense and can have a rather demotivating effect.
Nevertheless, the employer still has a responsibility for data privacy when working from home and should therefore ensure certain means of control. On the other hand, the sanctuary of one’s own home is afforded extra-special protection by the constitution. Unannounced visits to an employee’s home are therefore out of the question from the outset. However, the home office agreement should specify how control measures can be made possible.
8. Report incidents
If, despite all data privacy precautions, data breaches occur at an employee’s home, open and honest communication is of paramount importance. The employee should know how to report relevant incidents to his/her employer. Not every data breach must then be reported by the employer, and an external data protection officer can help clarify what must be reported.
Learn more about how to avoid fines and stay compliant with GDPR regulations here.
Looking for a data protection officer or advice? Schedule a free consultation and speak to one of our experts today.