Checklist: Data protection and information security for remote working
Remote working is becoming commonplace: More and more companies are allowing their employees to carry out some of their professional duties from home or another location away from the traditional office environment.
Employers should put in place clear rules for working away from the office so that both employer and employee understand their rights and obligations relating to data protection and information security, irrespective of where the employee is working and what device they are using.
We strongly recommend that both parties provide written agreement to these rules to avoid any misunderstanding or employer liability. Our free checklist for data protection in a home office or other location provides guidance to ensure that key details are not missed when you implement data protection measures for your employees’ remote working arrangement.
Data protection for remote working
Working from home is becoming increasingly popular and can be a mutually beneficial arrangement. Benefits of this flexible work model include increased employee motivation and efficiency, better work-life balance, lower employee stress levels and it is a family friendly mode of working.
As companies increase the provision of devices – such as laptops and smartphones – to their employees, their use is becoming more common away from the office (for example, on the train or at client sites).
A company’s responsibility to comply with data protection law extends beyond the main office to remote working sites, where measures to ensure compliance with data protection laws must also be in place. Employers’ responsibilities and liabilities remain unchanged.
The EU General Data Protection Regulation (GDPR) does not contain any specific requirements for technical and organisational measures (TOM) and lists only a small number of measures that should be taken, such as pseudonymisation and encryption. The GDPR makes it clear that the list is not exhaustive and that the measures put in place must ensure a level of security appropriate to the risk.
Therefore, we generally recommend that you follow the technical and organisational measures specified under the international standard ISO 27001 or the ICO’s (Information Commissioner’s Office) Guidance for working remotely. Please note: The suggested measures should always be adapted where necessary and should be applied to each location regardless of where the data is processed.
Specific measures should be selected according to actual processing risks at each location (in evaluating risk, the GDPR focuses on type, scope, circumstances and the purpose of processing as well as the probability of occurrence).
ISO 27001 Annex A includes measures in the following areas:
- Organisation of Information Security
- Human Resource Security
- Asset Management
- Access Control
- Physical and Environmental Security
- Operations Security
- Communications Security
Establishing basic rules and setting up the technical infrastructure are the starting point for implementing the required measures. Rules are essential for determining, for example, which data the company should never omit and how the data will be transferred, and for technical matters, such as setting up a VPN connection and allocating who has the authority to use it.
Work using company devices
We recommended that company devices are made available to employees working remotely and if possible, the use of personal devices is either prohibited or technically blocked to ensure data protection.
Regular updates should also be made available and/or virus protection and a firewall should be installed. Hard disk encryption should also be considered, so that data is protected from unauthorised access if the device is lost.
Alongside measures implemented by the company, further precautions should be taken for employee home working spaces and remote working instructions should be provided.
Data security when remote working
Processing data away from a secure office environment increases the risk of data loss, especially if there are no provisions for consistent data security. If work related information is stored locally, the data no longer flows into the company’s data security system. Consequently, we strongly recommend that employees use the company’s system and that local data storage is prohibited.
Essential data protection training for remote working
To ensure that employees are protecting data from third parties in their home office and elsewhere (e.g. from family members), they should be provided with regular training on data protection and data security. Employees need to learn about how to protect confidential data and prevent access to data by third parties. For example, they should position their screens where they are unlikely to be overseen, use privacy filters or set up automatic, password-protected screen savers.
It is also important not to forget about print outs, e.g. printed documents should be shredded after use and never re-used as scrap or drawing paper for children.