GDPR Compliance for Off-site Workers

When the General Data Protection Regulation (GDPR) legislation is enacted by the European Union on May 25 2018, firms that have established a safe information management process that incorporates offsite workers will be in a position to demonstrate that they have satisfied all the requirements to mitigate risks to their information.

This will help in safeguarding IP and customer data. Offsite workers use their communication devices such as laptops and smartphones for personal and work purposes. As a result, their employers face challenges in monitoring their work without interfering with their privacy. Organizations are highly likely to contravene some provisions of the new EU GDPR concerning employees’ right to privacy.

As the GDPR’s introduction date approaches, firms are in a hurry to ensure their operations satisfy the new requirements. For those dealing with security issues, they have to ensure that Personally Identifiable Information is sufficiently safeguarded and the proper notification structures are built. However, safeguarding Personally Identifiable Information held on communication devices may prove difficult for organizations. What this means is that most business leaders will face challenges when guiding their companies to comply with provisions of the law.

Firms may find it appropriate to protect work devices such as laptops from misuse. This might require them to implement software that can track how their home-workers use their devices. However, taking such an action may contravene compliance efforts or infringe some personal rights.

Offsite workers and their employers can undertake basic steps to ensure that they remain GDPR compliant and that the rights of the employees, as well as the customers’, are respected as per the requirements of the law. Organizations require strategy implementation to data safeguarding and cyber security. They can determine if they should have specific structures to ensure the protection of Personally Identifiable Information on the mobile devices. This might require them to find out if they hold PII. In case they do, they should then audit how the information is stored and where it is located.

With most organizations holding close to 20% of their data in applications such as databases and internally developed applications, organizations should strive to protect that data. Some of the steps to meet data protection requirements, in this case, include identifying the number of times the database has been copied and the location of the copies. Copies stored on mobile devices should be erased or transferred to secure internal storage unless they must be held on that device.

In some case data consists of semi-structured data in applications like emails, systematized using SharePoint or similar applications. Additionally, information may include structured data usually stored in file systems. In these scenarios, one has to consider whether they must do anything additional to safeguard this information. If a majority of the information is proposals, technical materials and reports it means that the only Personally Identifiable Information is likely to be the recipient’s job title and name. These do not pose a significant GDPR risk. Consequently, companies need good security practices to protect the data. The same applies to customer emails.

After locating Personally Identifiable Information, appropriate policies and protections should be put in place. Organizations need to demonstrate that proper data controls are established. This can be achieved by aiming to get certifications such as certification from the government-backed Cyber Essentials scheme. Data protection policies that provide guidance on who can access, read and download particular information should be formulated. This should be part of active data management and all employees must be trained to observe these policies. The company should then ensure that the policies are enforced and adhered to by the workers.

Organizations should build system tools that help in data identification and protection. This will enable them to deal with the remaining PII on mobile devices.

Companies can achieve this in various ways such as granting access to data but having policies in place that prevent users from downloading sensitive administrative data, ensuring data security by encryption, authorizing Mobile Device Management on mobile devices to delete business information in case of a device loss or virtualizing applications and streaming them to laptops or smartphones. Businesses can make use of tools like Druva inSync which scan files as part of a recovery plan for identifying PII and other sensitive data.