REUTERS | Eliseo Fernandez

Working from home: avoiding the GDPR traps

Due to the rapid spread of COVID-19 infections, most companies have had to send vast numbers of their employees to work from home. This has generally happened over a very short timeframe with perhaps sub-optimal planning and, as a result, businesses are now facing a range of data security, privacy and compliance issues.

We are seeing a staggering increase in ransomware, phishing, social engineering and malware attacks. Overall COVID-19-related phishing attacks grew by an astonishing 600% in the first quarter of 2020.

According to Palo Alto Networks, there was also a 656% increase in the average daily coronavirus-related domain name registrations from February to March. These are domain names which contain the word “COVID” (for example, “covidcure”), domains that are often used to lure victims into phishing attacks where they hand over their credentials or personal data.

Many of these attacks are targeting individuals who are now suddenly working from home. These people, whether working from company laptops or their own devices, may be lacking the protection given by a company IT infrastructure. And cyber criminals know that.

In work from home scenarios companies need to take extra organisational and technical measures to be compliant with the GDPR and other privacy regulations around the world.

So, what are the key risks related to personal data processing in work from home scenarios? And what measures should be taken to mitigate these risks?

Theft of personal data

The ‘integrity and confidentiality’ principle of the GDPR (which has equivalents in all major privacy regulations) must be respected no matter what. The latest phishing attacks lure victims into giving their credentials via emails with subject lines related to COVID-19, or via emails that encourage victims to visit websites that malicious cyber actors use for stealing valuable data. Any resulting loss of personal data is a breach of the integrity and confidentiality principle and, if the breach is likely to result in a risk to the rights and freedoms of natural persons, will require notification to the ICO or other relevant data protection authority and potentially also to the affected data subjects. The company may subsequently be exposed to regulatory fines and lawsuits from impacted individuals.

Consider providing staff with extra training on these risks. Staff need to become familiar with relevant policies and their role in compliance. On the software side, email filtering capability should be considered. Endpoint protection solutions and advanced threat protection should be implemented wherever possible.

Loss or destruction of personal data

Home devices that lack adequate protection and security policies are highly exposed to ransomware attacks. If data becomes accidentally unavailable, the company may again be in breach of the integrity and confidentiality principle since accidental encryption fits the description of a data breach. Again, the ICO or other relevant data protection authority and/or the affected individuals may need to be notified.

To avoid ransomware attacks, businesses should train employees not to open unsecured email attachments, and they should allow employees to use only local standard accounts on their laptops, instead of local admin accounts. Anti-virus and anti-malware packages should be fully up to date.

Unauthorised exposure of personal data

When working from home, it may be a challenge to ensure personal data isn’t seen by family members. Family members may have access to devices used to process the company’s personal data and can accidentally expose it on the internet. Often children or partners will have access to the company device, purchase something online, download a game or send an email. Accidents happen – an email containing personal data might be sent to the wrong recipient, causing a technical breach of the integrity and confidentiality principle. Despite being an innocent mistake, the GDPR’s accountability principle requires the data controller to show they have taken the necessary technical and organisational measures to process personal data in a compliant way.

Companies should ensure employees are aware of their responsibilities here. Firstly, does the organisation allow sharing of devices in this way? If it does, should it? If, perhaps for compassionate reasons during the pandemic, the business decides it can accept sharing of work devices with family members, clear rules around logging off from the company account prior to use by others need to be communicated. Businesses can also provide their employees with privacy screens for their devices.

Lack of efficient control mechanisms

A lack of control mechanisms increases the risk of losing control of personal data (for example, data might be saved on local storage or uploaded into non-approved cloud storage solutions). This can lead to breaches of several principles of the GDPR: changing the scope of the processing (data repurposing), losing the legal ground for processing, data minimisation issues (since new metadata can be generated), accuracy issues, storage limitation issues (you cannot delete data when you want) and so on. And, of course, integrity and confidentiality.

Policies and procedures around use of IT systems and data protection must be communicated and understood but also enforced. Technical solutions are needed wherever possible. Some of the common control mechanisms include identity management software, mobile device management software, data loss prevention software and advanced threat protection software.

Accessing personal data from unsecured hardware

If company devices have issues, replacing them can take time when working from home. Thus, employees might try to work from personal devices which lack the protection of corporate devices, thus risking exposure of personal data.

If companies plan to allow employees to work from their personal devices, bring your own device (BYOD) policies must be implemented, communicated and enforced. But companies should evaluate how intrusive the enforced BYOD policies are for the employees in order not to affect their rights to private life.

Ignoring procedures and policies

If employees circumvent procedures and policies (for example, sending personal data over unprotected channels like personal email, or non-approved file transfer services), they again risk breaching the core GDPR principles.

As well as communicating and training staff on these key policies, they should be routinely tested to see where bottlenecks and hurdles appear, causing staff to circumvent them. Continuous monitoring and vigilance by those with privacy compliance responsibility is needed more than ever.

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this post on: