The General Data Protection Regulation (GDPR) required any organisation doing business with European citizens to make significant changes by May 2018 when it came into effect. In its first year of being law, GDPR undoubtedly brought a new level of data hygiene to enterprises. Driven by the regulation, organisations across the globe went through the painful and often costly exercise of ensuring they had an overview of personal information and, more importantly, implemented tools to process and store that data in a secure manner.
As we hit the two-year anniversary of the important milestone in data management, organisations are faced with the daunting task of having to revisit their initial efforts. Why? Guidelines around the global pandemic forced huge parts of the workforce to work from home, but has also created a growing digital communication trial with your customers.
Organisations that already had processes and policies in place for remote working are counting themselves lucky. They are in the enviable position of merely ensuring those policies and rules are in use by all their new at-home workforce. However, organisations with an exclusively onsite workforce or with a limited remote workforce may have to open up the records around their data processing activities as well as their data protection impact assessments (DPIA) to see if working from home has had an impact or changes their level of risk.
Core to compliance with GDPR is due diligence. It is critical to assess the different infrastructures and systems staff use when working from home to understand whether sensitive data is flowing unprotected through networks. Is this data handled differently when staff is working at the office? It is the organisation’s responsibility to ensure that the appropriate controls are in place when personal information is accessed or processed from a home environment—just as it was when employees were in the office. As DPIA has to identify and analyse how data privacy might be affected by the differing actions or activities when working from home, companies are obliged to ensure appropriate controls are in place depending on the sensitivity of that data.
When organisations were first confronted with a new set of data privacy and security regulations, many were forced to quickly implement state-of-the-art tools to keep data secure. However, two years ago, the focus of that initial exercise was most likely limited to office boundaries. Keeping sensitive data safe while working from home is now proving to be a challenge that can introduce additional risks to sensitive data.
With the global COVID-19 situation forcing all members of a household to stay at home wherever possible, each individual environment has to be evaluated. What does the workplace look like when working from home? Is there even a physical office available? Is there a closet or other location that can be locked to guarantee privacy of data and devices? And more importantly for families with children, is the technical device used for work exclusively used for work purposes or are the children spending time on it? It’s all too tempting to allow the family to use a laptop once in a while just for some peace and quiet, or for casual private browsing. On the other hand, security risks can also be introduced in the opposite way—when a private device that might not be properly equipped with security tools is used for work purposes.
Thanks to modern technology, there is no doubt that employees can stay productive while out of the office. However, organizations must ensure that employees in a private work environment keep any accessed and processed data as secure as in a corporate office. Organisations are therefore having to revisit their security posture to provide a safe remote working experience that prevents data breaches. Not only should they address vulnerabilities to their own networks and the physical storage of data, but they will also have to face the fact that most remote workers will have to move data between the corporate network, the cloud, and the personal laptop. To protect personal data in transit from one location to another, GDPR suggests encryption to protect privacy and security, as well as to prevent leakage.
Organizations should understand that revisiting GDPR compliance might not be in vain. As we emerge from the global pandemic, working from home is predicted to become the new normal and the idea of a remote workforce is here to stay. Even if a large percentage of workers return to the office, the workforce will now be able to enjoy the flexibility of working remotely more than ever before. While GDPR compliance is focused on the protection of privacy, organisations are well-advised to maintain control over their personal and sensitive data regardless of the work environment. A remote work policy is now a necessity to manage data and keep it secure as we transition into new unknowns.
Marc Lueck is the Zscaler CISO for EMEA.