Off-Site Workers and GDPR Requirements

When the General Data Protection Regulation (GDPR) legislation is becomes live on May 25 2018, companies that have established a safe information management process that involves offsite workers be able to demonstrate that they have met all the requirements to mitigate risks to their information.

This will help in securing IP and customer information. Offsite workers use their communication tools such as laptops and smartphones for personal and work duties. Due to this, their employers face obstacles in monitoring their work without interfering with privacy. Organizations are very likely to contravene some provisions of the new EU GDPR legislation concerning employees’ right to privacy.

As the GDPR’s ‘go live’ date nears, firms are in a rush to ensure their operations meet the new requirements. For those dealing with security concerns, they have to ensure that Personally Identifiable Information is properly safeguarded and the proper notification structures are established. However, securing Personally Identifiable Information stored on communication devices may prove difficult for organizations. What this signifies is that most business leaders will face hurdles when guiding their companies to adhere with provisions of the law.

Companies may find it appropriate to safeguard work devices such as laptops from improper use. This might require them to put in place software that can record how their home-workers use their devices. However, taking such an action may contravene compliance attempts or infringe some personal rights.

Offsite workers and their employers can use basic steps to ensure that they are GDPR compliant and that the rights of the employees, as well as the customers’, are respected as per the obligations of the law. Organizations require strategy implementation for data safeguarding and cyber security. They can rule if they should have specific structures to ensure the safety of Personally Identifiable Information on the mobile devices. This might require them to discover if they hold PII. In case they do, they should then review how the information is stored and where it is located.

With most organizations holding almost 20% of their data in applications such as databases and internally developed applications, organizations should aim to protect that data. Some of the measures to meet data protection requirements, in this case, include identifying the amount of times the database has been copied and the location of the copies. Copies held on mobile devices should be deleted or moved to secure internal storage unless they must be held on that device.

In some case data includes semi-structured data in applications such as emails, systematized using SharePoint or similar applications. Additionally, data may include structured data usually stored in file systems. In these cases, one has to decide whether they must do anything additional to safeguard this data. If a majority of the information is proposals, technical materials or reports it means that the only Personally Identifiable Information is likely to be the recipient’s job title and name details. These do not pose a major GDPR risk. Consequently, companies need good security methods to protect the data. The same can be said of customer emails.

After discovering Personally Identifiable Information, appropriate policies and protections should be implemented. Organizations need to show that proper data controls are put in place. This can be achieved by trying to get certifications such as certification from the government-backed Cyber Essentials campaign. Data protection policies that provide assistance on who can access, read and download particular information should be established. This should be part of active data management and all staff must be trained to observe these policies. The company should then ensure that the policies are enforced and complied with by the workers.

Organizations should develop system tools that help in data identification and protection. This will allow them to deal with the other PII on mobile devices.

Firm can achieve this in various ways such as allowing access to data but having policies in place that stop users from downloading sensitive administrative data, ensuring data security by encryption, authorizing Mobile Device Management on mobile devices to remove business information in case of a device loss or virtualizing applications and streaming them to laptops or smartphones. Companies can make use of tools like Druva inSync which review files as part of a recovery plan for identifying PII and other sensitive information.

Author: GDPR News