What is the GDPR?
The General Data Protection Regulation, or GDPR, is a set of rules for personal data collection, storage, and processing. The GDPR applies to all companies that collect data about European Union (E.U.) citizens. Businesses that violate the GDPR, even businesses outside the E.U., face steep fines and penalties.
Complying with the GDPR can be a challenge for any business, and using a remote workforce introduces additional complexities. When some or all of a business's employees and contractors work from home, internal data protection teams can have less control and visibility of data security. Strong remote access security policies can help safeguard the personal and confidential data that is protected by the GDPR.
What is a remote access policy?
A remote access policy is the set of security standards for remote employees and devices. A company's IT or data security team will typically set the policy. Virtual private network (VPN) usage, anti-malware installation on employee devices, and multi-factor authentication (MFA) are all examples of things that can be included in a security policy for remote access.
What does the GDPR require?
The GDPR is a very broad set of regulations. To briefly summarize, the main GDPR requirements include the following:
- Consumers must be made aware of what data is collected about them
- A company must delete a consumer's personal data if the consumer asks them to
- Consumers must be able to move their data from one company to another
- Businesses have to receive clear, unambiguous consent from consumers before collecting their data
- Personal data must be encrypted
- Personal data must use "pseudonymization," so that it is not tied to any one person
- No unauthorized persons should be able to view personal data
- Companies that suffer a data breach that exposes personal data must promptly alert the appropriate authorities
- Companies cannot share personal data with third parties within regions where the GDPR does not apply, or with noncompliant third parties
- All businesses of a certain size have to assign a dedicated Data Protection Officer
Some of these requirements are unaffected by the use of remote workforces, but others are directly affected. In addition, because data security is a primary concern under the GDPR, companies that allow their workers to work from home need to make sure they are taking the right steps to protect the data that their workers access remotely.
What are the GDPR requirements for data access outside the E.U.?
Many E.U. companies have offices overseas or manage remote employees in other regions. As long as personal data stays within the same organization and is not exposed, these companies are still compliant, even if an authorized employee in a non-GDPR region accesses the data.
For example, imagine that Bob is employed at a company in France that collects consumer data, then spends a month working in the U.S. (where the GDPR does not apply). His company is still GDPR compliant even if he views consumer data from his laptop in the U.S. Of course, this is only true as long as the data remains secure.
However, this logic does not apply to independent contractors and external agencies, since they are third parties outside the organization. If a noncompliant remote contractor in another country accesses data from Bob's company, they are in violation of the GDPR.
For this reason, it is important to put strong access control in place when managing a distributed workforce. Only designated, authorized persons within the organization should be able to access E.U. citizen data.
What else should businesses with remote workforces do to ensure GDPR compliance?
In general, the main goal of the GDPR is to ensure that consumers' data remains both secure and private. The following steps are therefore a very important part of any remote access policy (not an exhaustive list):
Protect data both in transit and at rest.
Data in transit refers to data that is traveling from point A to point B — for example, data passing between a SaaS application and a user's device. Data at rest refers to stored data, such as data on a user's laptop hard drive. In both cases, data must be secured.
Access control and encryption are the key technologies for protecting data. Remote employees, like all employees, must have good reason for having access to personal data, and their access to that data has to be tracked and managed. Identity and access management (IAM) technologies help prevent unauthorized persons from viewing and altering data.
Additionally, data passing over networks, including the Internet, should be encrypted with HTTPS, a VPN, or another method. (Cloud-based applications can complicate this rule for remote employees — read this article on business VPNs to learn more.) In addition, data must be encrypted when it is stored or "at rest" within servers and hard drives as well. To accomplish this, IT teams need to enforce their security policies for encryption on all devices, even on employees' personal devices in some cases.
Protect employee endpoints.
Remote employee endpoint devices (such as laptops, desktop computers, and smartphones) must be protected from cyber attacks, because a malware infection could result in a data breach. Devices should have anti-malware software installed at a minimum. A secure web gateway can also help protect employees as they browse the Internet.
But even more common than malware infections are lost devices: laptops or smartphones with sensitive data stored locally, that employees accidentally leave in a public area. This is another reason why device encryption is incredibly important.
Protect against phishing attacks and other forms of account takeover.
Phishing attacks are still one of the most common causes of data breaches. A phishing attack is when an attacker tricks a user into giving up their login credentials, enabling them to take over the user's account. The implications of an account takeover can be disastrous for a company trying to remain compliant, as the attacker can then infiltrate the organization and view, leak, or steal consumer data.
Brute force and password spraying attacks can also result in account takeover, so companies must enforce a strong password policy. No one should be able to guess any employee's password, and the password should be able to withstand most bot attacks. If possible, businesses should implement two-factor authentication on every corporate application in use.
How does Cloudflare help with GDPR compliance?
Cloudflare for Teams helps protect data no matter where teams are located. Cloudflare Access enables companies to implement secure access management without relying upon VPNs, by placing company resources behind the Cloudflare global network. Cloudflare Gateway blocks malicious websites with DNS filtering, offers complete visibility into traffic on and off company networks, and uses browser isolation to protect against zero-day threats. Companies can use Cloudflare for Teams to stay more secure, reducing the risk of a data breach that would put them out of GDPR compliance.
Cloudflare is also GDPR compliant itself, which helps to keep Cloudflare customers compliant.