Why GDPR Matters More Than Ever

Featured article by Alex Morgan

Facing the COVID-19 pandemic, the great majority of enterprises turned to remote labor, at least to some extent. The pandemic has also highlighted the need for better protection of personal data. However, there are numerous risks associated with the usage of modern technology in remote employment.

Unfortunately, employees often are not sufficiently aware of the importance of data security.  Furthermore, there is a lack of adequate tools to protect personal data. Because of legitimate worries about financial liquidity, organizations often avoid investing in security and neglect personal data protection.

However, abiding by the data protection laws is more important than ever. Let’s see why.

Challenges of personal data protection during remote work

A personal data breach is defined by GDPR as any security breach that results in an unintentional or illegal deletion, loss, modification, unauthorized disclosure, or access to personal data. This refers to all data that is stored, transferred, or otherwise processed by a company.

This means that a breach happens not only when information is leaked and accessed by unauthorized parties (e.g., as a result of a hacker attack) but also when a company loses access to data, either via the loss of documents or the loss or damage of digital data storage devices.

So, what are the remote working conditions that render organizations more exposed to such threats to data security?

These conditions are mostly tied to external factors such as employee devices, unsecure apps, and the lack of awareness about the importance of data protection and best cybersecurity practices.

These are external factors that, if well-managed, bring significant benefits such as cost savings, productivity, and employee satisfaction. However, if not well-managed, they expose organizations to risks such as data breaches, data loss, and data leakage.

The risks listed above are undoubtedly numerous. However, that doesn’t mean that the methods for preventing them have to be complicated or expensive. It is worthwhile to consider essential solutions.

How to counteract threats?

Having precise data protection policies

If a company does not have personal data protection policies in place for remote workers, it should develop and apply them as quickly as possible. First, you should cover the bare minimums required to meet the needs of your organization and ensure compliance with relevant regulations. After that, you should supplement them with additional data protection policies.

These policies should cover things like data retention periods, encryption of sensitive data, records management, data breach prevention, etc. For example, having a clearly defined email retention policy will help your employees  (and you) avoid violating federal or state laws. Some states have laws requiring that certain types of emails be retained for a certain amount of time. A good retention policy will clearly state how emails are to be stored, for how long they will be retained, and who will have access to them.

Your email retention policy should clearly state how emails are to be archived. Archiving is the systematic storage and retrieval of emails. Email archiving solutions store emails in their original format, separate from the email system. Archiving solutions also store metadata associated with emails. This ensures that emails can be located quickly and easily.

Ensuring device and network security

If remote employees use their own devices for work, it is worth educating them on fundamental information handling principles and defining minimal security standards for the devices and networks they use.

It is crucial to make sure that devices and networks your employees are using are properly secured in order to avoid breaking data protection laws.

To achieve this, you should offer a set of security recommendations and practical tips for employers. Your employees should know how to protect their devices (with antivirus, firewall, antispam protection, etc.), and should know how to secure their networks (with firewall, router, etc.). Additionally, you should provide your employees with a list of security software they can use on their devices and suggest they download and set it up themselves.

Using secure communication tools

Free communication tools such as email platforms and instant messengers may not provide an appropriate level of data security, as they are usually not designed for commercial use. The employer should suggest appropriate communication methods.

The employer should ensure that confidential information remains confidential. The employer should encourage employees always to use email in an encrypted format and to use other encryption methods where appropriate. This is particularly important when sending confidential information through public email systems.

Educating employees and raising awareness

When it comes to data protection, it is preferable to raise awareness and give training before a crisis develops.

For example, you should educate your employees about common security threats and let them know they may be particularly vulnerable to phishing attempts using clickable material about coronavirus in the coming days. They should also be aware of what to do in such a situation (e.g., immediately inform IT).

Your employees should know how to spot phishing emails and should know what to do if they receive one. They should know how to spot and avoid malware and what to do if they encounter it. They should also be made aware of common scams, such as fake software updates, and learn how to avoid them.

Over to you

If done right, remote working is highly beneficial for both workers and companies. However, it does bring many security risks.

Remote workers can be easily hacked by malicious third parties. Due to the absence of face-to-face communication, employees often fail to understand security best practices. Moreover, remote employees often lack adequate tools to protect their personal data.

In order to avoid data breaches and ensure compliance with data protection laws, you must provide your employees with adequate security tools and training.

Author: Alex Morgan

Alex is a passionate tech blogger, internet nerd, and data enthusiast. He is interested in topics that cover data regulation, compliance, eDiscovery, information governance, and business communication.