GDPR: Are you compliant during the pandemic?
Complying with the General Data Protection Regulation (GDPR) and protecting personal data should be a priority for companies during the deconfinement phase.
Some organizations have been able to adapt to the reality of remote working with relative ease, using established procedures, practices, and solid IT infrastructure while complying with the GDPR. For others, the process of change has been too abrupt and quickly revealed weaknesses, with some organizations reporting data breaches.
To help guide organizations, we have identified 4 tips concerning data privacy in remote work, to help companies comply with GDPR and other regulations in these times of constant change and adaptation.
Make sure you have secure connections.
Now more than ever, people depend on their home broadband and personal computers to perform their daily work tasks. However, employees using home Wi-Fi, rather than more robust office networks, expose themselves – and in turn, companies – to the risk of cyberattacks. That’s why organizations must adopt and use cloud solutions so employees can access the IT infrastructures, platforms, and services they need, securely and in compliance with the GDPR.
Know your IT policy.
Enterprises need to ensure the process of data storage in the cloud meets the regulations necessary to protect their own company and the data in question. Employees need to consult their IT policy to understand what they can and can’t do. When an organization’s policy is unclear, the role of IT needs to be high to ensure that employees don’t make their own software and security decisions without proper support and guidance.
Keep employees informed.
Usually, hardware is kept in the office. But with more and more employees in remote work and the increased use of solutions in the cloud, the risk of non-compliance is at stake. Companies need to be aware of local legislation that applies to them and guide their employees on best compliance practices. All companies will have some employees using the cloud to access the data they are processing. The key here is for them to be informed by their employer about how they should work remotely.
Do not risk employees’ privacy.
There are some elements to consider when it comes to the right to privacy in the context of teleworking. Access to employee data can result in a potential violation of human rights, as their whereabouts can potentially be traced 24 hours a day. Some companies may in turn unintentionally use this data for other means, for example, to monitor productivity levels throughout the day, which may result in an invasion of the teleworkers’ privacy.
In this context, and also applied to private companies, European Digital Rights (EDRi) calls on the Member States and EU institutions to ensure that, while taking public health measures to tackle Covid-19, they:
Strictly uphold fundamental rights: Under the European Convention on Human Rights, any emergency measures which may infringe rights must be ‘temporary, limited and supervised’.
Protect data for now and the future: Location data is personal data and therefore is subject to high levels of protection even when processed by public authorities or private companies. They should be anonymized to the fullest extent, for instance through aggregation and statistical counting.
Limit the purpose of data for the Covid-19 crisis only: The data collected, stored, and analyzed in support of public health measures should not be retained or used outside the purpose of controlling the coronavirus situation.
Implement exceptional measures only for the duration of the crisis: The necessity and proportionality of the exceptional measures taken during the Covid-19 crisis should be reassessed as soon as the crisis is mitigated.
Keep tools open: To preserve public trust, all technical measures to manage the new coronavirus should be transparent and should remain under public control.
Condemn racism and discrimination: Measures taken must not lead to discrimination and governments must remain vigilant regarding the disproportionate damage that marginalized groups may face.
Defend freedom of expression and information: To make sensible and well-informed decisions, we need to access good quality and reliable information.
Take a stand against internet shutdowns: During this crisis and beyond, an accessible, secure, and open internet will play a key role in keeping us safe.
Do not use this crisis for their own benefit: The private sector, particularly technology companies, need to respect existing legislation in their efforts to help manage this crisis.
To navigate the risks of privacy breaches at this time of uncertainty, companies must act quickly and decisively and keep up to date with data protection legislation so that they can apply it to new circumstances and overcome the immediate threat of securing their future once the storm passes.
Choosing the right tool is the best data protection strategy!
We developed GetComplied to help companies comply with GDPR and other data protection laws and avoid sanctions. And the truth is… it’s easier than it looks! You can edit your policies, cookies, and user rights on one platform!
Get in touch!
If you have any questions, do not hesitate to contact our team via social networks or email: firstname.lastname@example.org
We also have a live chat that you can access on the website itself by clicking on the icon at the bottom right.