The GDPR and working from home | GDPR remote access policy

What is the GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that establishes a framework for the collection, processing, storage, and transfer of personal data. It requires that all personal data be processed in a secure fashion, and it includes fines and penalties for businesses that do not comply with these requirements.

Complying with the GDPR can be a challenge for any business, and using a remote workforce introduces additional complexities. When some or all of a business's employees and contractors work from home, internal data protection teams can have less control and visibility of data security. Strong remote access security policies can help safeguard the personal and confidential data that is protected by the GDPR.

What is a remote access policy?

A remote access policy is the set of security standards for remote employees and devices. A company's IT or data security team will typically set the policy. Virtual private network (VPN) usage, anti-malware installation on employee devices, and multi-factor authentication (MFA) are all examples of things that can be included in a security policy for remote access.

What does the GDPR require?

The GDPR is a very broad set of regulations. Among other things, it requires several specific actions that data controllers and processors need to take. Some of these include:

• Record keeping: Data processors must keep records of their processing activities.
• Security measures: Data controllers and processors must regularly use and test appropriate security measures to protect the data they collect and process.
• Data breach notification: Data controllers that suffer a personal data breach have to notify appropriate authorities within 72 hours, with some exceptions. Usually, they also have to notify the individuals whose personal data was affected by the breach.
• Data Protection Officer (DPO): Companies that process data may need to hire a Data Protection Officer (DPO). The DPO leads and oversees all GDPR compliance efforts.

The full requirements for data controllers and processors are described in the GDPR.

Because data security is a primary concern under the GDPR, companies that allow their workers to work from home need to make sure they are taking the right steps to protect the data that their workers access remotely.

What should businesses with remote workforces do to ensure data security?

The following steps are therefore a very important part of any remote access policy (not an exhaustive list):

Protect data both in transit and at rest.

Data in transit refers to data that is traveling from point A to point B — for example, data passing between a SaaS application and a user's device. Data at rest refers to stored data, such as data on a user's laptop hard drive. In both cases, data must be secured.

Access control and encryption are the key technologies for protecting data. Remote employees, like all employees, must have good reason for having access to personal data, and their access to that data has to be tracked and managed. Identity and access management (IAM) technologies help prevent unauthorized persons from viewing and altering data.

Additionally, data passing over networks, including the Internet, should be encrypted with HTTPS, a VPN, or another method. (Cloud-based applications can complicate this rule for remote employees — read this article on business VPNs to learn more.) In addition, data must be encrypted when it is stored or "at rest" within servers and hard drives as well. To accomplish this, IT teams need to enforce their security policies for encryption on all devices, even on employees' personal devices in some cases.

Protect employee endpoints.

Remote employee endpoint devices (such as laptops, desktop computers, and smartphones) must be protected from cyber attacks, because a malware infection could result in a data breach. Devices should have anti-malware software installed at a minimum. A secure web gateway can also help protect employees as they browse the Internet.

But even more common than malware infections are lost devices: laptops or smartphones with sensitive data stored locally, that employees accidentally leave in a public area. This is another reason why device encryption is incredibly important.

Protect against phishing attacks and other forms of account takeover.

Phishing attacks are still one of the most common causes of data breaches. A phishing attack is when an attacker tricks a user into giving up their login credentials, enabling them to take over the user's account. The implications of an account takeover can be disastrous for a company trying to remain compliant, as the attacker can then infiltrate the organization and view, leak, or steal consumer data.

Brute force and password spraying attacks can also result in account takeover, so companies must enforce a strong password policy. No one should be able to guess any employee's password, and the password should be able to withstand most bot attacks. If possible, businesses should implement two-factor authentication on every corporate application in use.