Data protection and working remotely

The paradigm shift toward remote working began even before the COVID-19 pandemic broke out. Since then, local and national directives have confined large portions of the population to their homes. As a result, many businesses have continued operating using a distributed workforce, and some, like Shopify and Twitter, have made remote working permanent.

These new circumstances demand a different security stance than working from centralized offices. Especially when it comes to maintaining the data security that the GDPR requires.

If you’re suddenly managing remote teams, it can be daunting to think about data security with everything else that’s going on. The GDPR, in general, requires that companies keep personal data private and secure.

This article will show you how, with a few simple actions, you can help ensure you stay GDPR compliant even as your team is spread out.

Now’s a good time to update your cybersecurity policy

Many employees who are not familiar with data security issues may not grasp how a simple slip-up on their part could lead to a data breach that exposes the personal data you are charged to protect. These data breaches can not only undermine consumer confidence in your company but also lead to costly GDPR fines.

A cybersecurity policy that instructs your employees on how to keep your business’s data safe is an important tool in data protection. If you don’t have one, you should make one. If you have a policy but haven’t updated it since everyone began working from home, this is the time to do so. A good place to start is by reviewing the NIST cybersecurity framework, which provides you with a set of best-practice guidelines for all stages of threat identification and mitigation.

The NIST framework covers five areas, all of which are essential components of a successful cybersecurity framework:

  1. Identify
    You should develop an understanding of your environment in order to assess the level of cybersecurity risk to systems, assets, data, and capabilities.
  2. Protect
    You should develop and implement the appropriate safeguards to limit or contain the impact of a potential cybersecurity event. This involves controlling access to digital and physical assets, but also the responsibility to provide education and training to all employees.
  3. Detect
    You should have the ability to identify cybersecurity incidents quickly. This means using a system that can undertake continuous monitoring to detect unusual activity and other threats to operational continuity.
  4. Respond
    If a cyberattack occurs, organizations must have the ability to contain the impact. This means you will need to have a response plan in place. Once you have resolved your cybersecurity incident, you will need to update your response plan with any lessons learned.
  5. Recover
    Finally, you should have a plan to restore any capabilities or services that were affected by cybersecurity incidents.

Your IT security policy doesn’t have to be a complicated document. It should cover the reasons it exists in the first place and then lay out, in easy-to-understand terms, the exact security protocols your fellow employees should follow. If they’re confused, they can ask questions, but no one is exempt from the policy. You can also use the free templates offered by SANS, a globally recognized cybersecurity training and consultancy organization, as models for your policy.

Get a detailed guide to creating a security policy for your company with Proton’s ebook on IT security for small businesses.

Data protection: in transit and at rest

Recital 83 essentially stipulates that personal data must be protected both in transit and at rest.  Data is in transit pretty much any time someone accesses it. The data passing from this website’s servers to your device is one example of data in transit. On the other hand, data a rest refers to data in storage, like on your device’s hard drive or a USB flash drive.

The two keys to maintaining data protection when your teams are all working remotely are encryption and controlling access.

Remote security requires encryption

Your company’s sensitive data should be encrypted both in transit and at rest. Both Recital 83 and Article 32 of the GDPR explicitly mention “encryption” when discussing appropriate technical and organizational security measures. Encryption is important because if your data is encrypted and there is a breach, the data will be illegible and useless.

Keeping sensitive personal data encrypted is much easier in an office, where your cybersecurity team can maintain server security and monitor your network. But there are simple steps your organization can take so that data remains encrypted, even if it is stored on a device at your employee’s home.

First, all devices that your employees use for work — including their work phone — should be encrypted. Your employees can encrypt the hard drives of their Android, iOS, macOS, and Windows devices. There is also third party hard drive encryption software, like VeraCrypt, that will work on a wide variety of devices.

Much of the software your company likely uses, like Microsoft Office or Adobe Acrobat, also offers you the option to encrypt your saved files. This is another way you can keep your data encrypted at rest. You should follow other basic computer security steps and ensure that all employees follow them too, whether they work remotely or not.

The idea is simple. Hackers from afar aren’t the only danger posed to your data. Laptops and other mobile devices are lost or stolen all the time. Encryption software locks down files and folders so that unauthorized users can’t view the data even if they manage to get into the machine.

Control access, secure connections, no exceptions

You should revisit who in your company has access to sensitive data. Employees should only have regular access to the data they need to complete their daily tasks. Limiting the amount of data each individual can access mitigates the damage one employee’s security lapse can cause.

Your company should also use a corporate virtual private network (VPN) to limit access to your sensitive data. The VPN will encrypt your employees’ connection to your servers, letting them safely and securely access your company’s network. The corporate VPN’s encrypted tunnel will help keep your data safe in transit. It will also prevent attackers that do not have your corporate VPN from accessing your servers.

As a reminder, using public WiFi without a VPN is unwise, particularly if your work deals with sensitive data. These networks can easily be monitored by others. Your employees should even use a trustworthy VPN if they are working from home, just to be safe.

By encrypting your data, limiting each employee’s access, and using a corporate VPN to control access to your company’s servers, you significantly decrease the likelihood of there being a massive data breach.

Boring but effective advice: train your employees

Human error is one of the main causes of data breaches. Cybersecurity is difficult enough when everyone is in an office on a network you control. Relying on your employees to immediately pick up and master all the new cybersecurity policies and tools you implement while working from home will not be effective.

Your data protection officer or the team in charge of your cybersecurity should plan to run training sessions on the new policy with the entire company. This team should then train your employees (in small groups) on the new security tools and processes they will use in their day-to-day work.

Your employees will still need help even after they are trained on how to use these new tools. Your cybersecurity team should always have someone on standby to respond to questions. If possible, they should also schedule short follow-up video calls with all your employees to evaluate whether everyone is following your new security policy.

Final thoughts on cybersecurity and working remotely

By putting some of these suggestions into practice, you can relieve some of the stress of remote work. These are the data security steps that can help you avoid costly GDPR fines.

To boil it down to four steps, the most significant things that you, a small business owner, can do to stay GDPR compliant while your team is working from home are:

  1. Update your cybersecurity policy to reflect the new “working from home” reality.
  2. Train your employees and make sure your cybersecurity team is ready to support them.
  3. Keep data encrypted in transit and at rest.
  4. Limit access to sensitive data and keep your connections secure with a corporate VPN.