Companies around the world are facing various challenges because of the Covid-19 outbreak. In order to support fighting the corona pandemic and to adapt their daily business to this exceptional situation, many of them have started or plan to start implementing working remote at short notice. However, it is important for enterprises – especially in the European Union, where they must observe the GDPR regulations - not to neglect their duties towards protection of their customers’ and employees’ personal data. There, violations of the protection of personal data can not only lead to sensitive measures and fines imposed by data protection authorities but also damage the company’s image in the eyes of customers and on the market for potential skilled workers. In this context, the careful selection of software ensuring internal communication even when working from home is becoming increasingly important. The article presents what companies need to consider when implementing working from home and corresponding software applications from a data protection point of view and why it is essential to involve the Data Protection Officer (DPO) in the process.
When implementing working from home and corresponding video conference tools, companies must not neglect data protection and data security measures.
Introduction of Working Remote: Challenges of Data Protection during Covid-19
Companies around the world are facing various challenges because of the Covid-19 outbreak. In order to support fighting the corona pandemic and to adapt their daily business to this exceptional situation, many of them have started or plan to start implementing working remote at short notice. However, it is important for enterprises – especially in the European Union, where they must observe the GDPR regulations - not to neglect their duties towards protection of their customers’ and employees’ personal data. This article presents the risks of unprepared measures and shows possible solutions how the introduction of working from home and the selection and use of appropriate communication software can be made legally secure from a data protection perspective.
Because of the Covid-19 pandemic and where the business model allows it, many companies have decided to enable their employees to work from home. Working from home seems to be a great way to keep business running as much as possible even during this unusual period, while protecting the health of the staff and society at large. In European countries like Germany, governments even give official recommendations to support working from home as an employer in order to promote the health and ability to work of employees and therefore their business.
But implementing working remote needs to be well-prepared: Since spontaneous solutions usually do not fully implement all security requirements, working from home without specific preparation is not a low-risk measure from a data protection point of view. Further, companies may need to select a video conference tool in order to keep up communication between their employees while working remote. Because confidentiality, availability and integrity of information systems may not be neglected, employers are well-advised to seek support from their Data Protection Officers (DPO). In order to achieve a minimum standard of data protection and IT security, managers are obliged to take numerous basic measures. Otherwise, companies may face serious disadvantages.
Enterprises in the European Union are obliged to protect their customers’, employees’ and business partners’ personal data according to the General Data Protection Regulation (GDPR). According to Art. 32 GDPR, every data controller must ensure security of personal data by implementing appropriate technical and organizational measures. Since these technical and organizational measures are usually adapted to working in the office on site, they do not entirely apply to working from home. Thus, insufficient preparation in this context can lead to corresponding measures by the data protection supervisory authorities or claims for damages by the data subject (Art. 82 GDPR). The data protection supervisory authorities’ power reach from issue reprimands to the controller that a processing operation has infringed provisions of the GDPR to imposing an administrative fine or even imposing a ban on the processing (Art. 58 GDPR).
Furthermore, it is important for companies to comply with standards of IT security to prevent blackmailing cyber security attacks as well as to protect their trade and business secrets. Attackers invade IT systems to blackmail money from companies by threatening to paralyze their IT system or to use or sell personal or business data without authorization. Especially for industrial companies it is extraordinarily important to protect their trade and business secrets from unauthorized access. If trade and business secrets are not subject to appropriate security measures of technical, organizational and legal character, the company’s information may not be protected as trade and business secrets according to the underlying law in the EU (see Art. 2 Subs. 1 lit. c of Directive 2016/943/EU of the European Parliament and of the Council). In that case, unauthorized use of the company’s secret information cannot be prosecuted.
There are numerous basic measures for companies to achieve data security and data protection when implementing working from home.
First, it is essential to establish clear, unambiguous and binding regulations on IT and data security for their staff, so that they know exactly what rules to follow and what steps to take in order to minimize data security risks. Employees may be informed personally by email about those regulations. It is also useful to set up a checklist containing the most important rules of conduct offering self-monitoring to employees. Where possible, employees should be trained with the established regulations. Data protection supervisory authorities provide great country-specific information on the introduction of working from home systems which can be used by DPOs seeking assistance in putting together such regulations, checklists and training documents.
To provide IT security, it is especially important to access internal resources of a company only based on a secure communications channel, a cryptographically secured Virtual Private Network (VPN). Business hardware such as laptops, mobile phones and other data carriers should also be encrypted. In this context, it is also essential that employees use a protected LAN or wireless network connection while working from home.
Furthermore, employees should be provided with clear contact points and communication channels that can be verified by them, such as a clearly determined video conference tool. This prevents phishing attacks as well as employees from using private communication tools such as WhatsApp that are insecure for companies in terms of data protection.
It is essential to establish clear, unambiguous and binding regulations on IT and data security for their staff, so that they know exactly what rules to follow and what steps to take in order to minimize data security risks
In context of phishing, it can be observed that fraudsters try to take advantage of lax cyber security measures when establishing working from home. By phishing emails, fake websites, or short messages, they try to capture sensitive company or user data. Companies therefore should make their employees particularly aware that they should not pass on user data or passwords under any circumstances, install software on business equipment without authorization or open attachments or links from emails with unknown senders. In particular, the identity of the sender address should always be checked in case of unusual emails.
Moreover, it is important for companies to establish regulations for the use of private and business devices. Private devices such as laptops or mobile phones should only be used if there is a corresponding bring-your-own-device practice in the company which gives clear restrictions of using private apps, clouds or messaging services that don’t comply with data protection laws. Otherwise, employees should refrain from uploading business data to private devices or a private cloud and from connecting private storage media such as USB sticks to the business device. Such use of private business devices without further regulation constitutes a high risk of data loss, unauthorized transfer of personal or business data or introduction of malware. Hence, also private communication channels such as WhatsApp or Facebook should not be used to exchange business information.
Business devices such as laptops or mobile phones should be kept safe by each employee at their workspace at home. A security level comparable to that of an office room should be aimed for, for example by closing doors and windows when leaving the workplace. In particular, equipment should be protected against access by third parties. This includes locking the screen when leaving the workplace, setting up the work equipment so the screen cannot be seen from outside and, if possible, locking the work equipment when it is not in use.
It is especially important to access internal resources of a company only based on a secure communications channel, a cryptographically secured Virtual Private Network
At last, employees should be required not to print out documents while working at home. Nevertheless, if this was necessary, the printed documents must be destroyed appropriately and not in any case be disposed of in the household waste bin. In order to minimize the risk of data loss, regular backups of data should also be made while working from home. If a company device, paper documents or a mobile device is lost, employees should immediately report the loss to a central unit. These measures also prevent violations of the protection of personal data and business secrets by unauthorized access by third parties.
In this context, it is essential for companies to make sure that every employee knows who to contact in case of any personal data breach and how to contact the responsible person. Employees should be made aware of the short notification period of Art. 33 GDPR concerning personal data breaches, because if the 72-hour deadline cannot be met towards the data protection supervisory authority, serious measures may be threatened. The first contact person for employees should therefore always be the DPO.
In times where a vast majority of a company’s staff is working remote and face-to-face meetings need to be substituted, video conference tools for online meetings gain enormously in importance. But with rapid changeover, companies may lack the time to carefully select a suiting and secure video conference tool from the wide range of providers. However, IT and data security are of utmost importance when choosing such a tool. Thus, it is very important for the management not to go it alone, but to involve the DPO closely in the selection process.
Various requirements must be met by a video conference tool, like complying with GDPR regulations when used by employees in the EU. Therefore, when choosing from a large variety of video conference tools, providers from third countries must be rejected if there is no adequacy decision on the provider’s registered office’s state according to Art. 45 GDPR – like e.g. the EU-US privacy shield – or transfer of personal data is not subject to appropriate safeguard according to Art. 46 GDPR like standard protection clauses or binding corporate rules.
An essential connecting factor in choosing a video conference tool that meets all GDPR requirements is Art. 25 GDPR. Accordingly, a controller needs to consider the software’s data protection defaults as well as the level of data protection possible through individual technical settings (‘data protection by design’ and ‘data protection by default’).
Employees should be required not to print out documents while working at home
Suitable programs use transport encryption and end-to-end encryption. Furthermore, online conference rooms need to be protected by passwords or personalized invitations. The software must not record conferences for purposes of quality improvement or any other form of evaluation or enable the employer to record the video conference. Moreover, the program to be used must not enable the conference host to turn on the other users’ camera or microphone or even share other users’ screens by remote control. These individual privacy settings need to be at each individual user’s disposal. A higher level of data protection can also be achieved by offering a blurring function where each individual user can blur their background.
Furthermore, the employer should be able to adjust settings concerning telemetry data and the collecting of biometric data such as attention recognition. Those functions should be disabled to ensure data minimization. Since biometric data is especially protected by Art. 9 GDPR and may only be collected for limited legal reasons, such processing of employees’ personal data would be unlawful under GDPR.
In addition, a data processing company must comply with fundamental provisions of the GDPR such as protection of the rights of the data subject, viz. the employees. As soon as an employer wants to instruct them to use the video conference tool of choice, employees must be informed properly according to Art. 13 GDPR. Also, the controller must not forget to include the use of the new software in the record of processing activities accordingly to Art. 30 GDPR. Since the obligation to comply with data protection regulations does not end with the introduction of the software, but must be constantly monitored and, if necessary, adapted, this also states the importance of including the DPO in the whole process. Even if a more basic presenting in the record of processing may be fine in times where quick action is needed, it is important to make up leeway as soon as the situation allows it. The record of processing must also contain information on the purpose of the data processing and, if possible, the envisaged time limits for erasure of personal data. For purposes of data minimalization, personal data should be erased as soon as the conference is finished.
Since data security is always also a user-related issue, it is from utmost importance to train employees in secure use of video conference tools. Because of the limited options of face-to-face training, the DPO can help by offering simplified guidelines and codes of conduct. Employers should also ask employees for their feedback on data security settings concerning the chosen video conference software.
Another specificity related to GDPR is the possible need for a data protection impact assessment (DPIA) according to Art. 35 GDPR. Whenever implementing new technologies that are likely to result in a high risk to the rights and freedoms of natural persons, the controller has to carry out an assessment of the impact of the planned processing on the protection of personal data. According to Art. 39 GDPR it is one of the DPO’s primary tasks to support and provide advice where a DPIA is requested. The DPO must bear in mind that they have to sufficiently record the consideration of whether a DPIA should be carried out in order to be able to justify the decision to the supervisory authority. Whether a DPIA must be carried out depends on the individual software and cannot be conclusively assessed from the outset. But since it can be assumed that, in the context of the Covid-19 crisis, the processing of personal data by a video conference software also takes place in the private environment of the employees due to working remote, there is a strong case for a duty to carry our a DPIA.
In times of digital transformation, companies must not neglect the requirements of data security and data protection. This is especially true during the Covid-19 pandemic, where rapid action is essential to maintain business operations in the best possible way. The obligation to comply with data protection laws begins with the preparation of working remote as well as the selection of suitable software providers and must be continuously observed and monitored during the period of use. When introducing working remote and selecting the necessary applications in a short time, entrepreneurs should therefore seek support from their in-house or external DPO. In that way, risks can be minimized and the data of the company, its employees, customers and business partners can be ideally protected. DPOs should prepare themselves for these new tasks by seeking information and support from data protection authorities and through other channels.
- GDD-Praxishilfe DS-GVO XVI – Videokonferenzen und Datenschutz, April 2020; https://www.gdd.de/downloads/praxishilfen/gdd-praxishilfe_xvi-videokonferenzen-und-datenschutz
- Home-Office? – Aber sicher!, Bundesamt für Sicherheit in der Informationstechnik, 17 March 2020; https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Empfehlungen/HomeOffice/homeoffice.html