The fight against the COVID-19 epidemic meant that the vast majority of entrepreneurs introduced - at least in part - various forms of remote work. Striving to limit the presence of employees in offices is associated with the implementation of work mechanisms from the place of residence for various groups of employees. However, if the enterprise did not have a remote work culture before, a sudden "exodus" from the offices may find the organization and its employees unprepared for data protection risks, including personal data.Threats flowing, among others there is a lot to be seen from the use of new technologies in remote work, and understandable fears related to the threatened financial liquidity of many enterprises do not encourage investment in security and postpone the protection of personal data.
First of all, it should be reminded that, according to the GDPR, a personal data breach is any breach of security that leads to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed. Therefore, such a violation will not only be a situation in which data "leak", i.e. fall into the wrong hands (e.g. as a result of a hacker attack), but also e.g. loss of access to data due to loss of documents or damage to a data carrier (e.g. work stick 'and).
So what circumstances related to remote work increase the organization's vulnerability to the above threats and constitute potential data security vulnerabilities? These undoubtedly include:
a) in the aspect of IT security - from the employee's perspective:
b) in the aspect of physical data security:
c) in organizational aspect:
Threats, as already mentioned, there are many, but ways to counter them do not have to be complicated and expensive. It is worth looking at the most important of them.
Remote work procedure for employees
If your organization has not yet adopted procedures for the protection of personal data as part of remote work, this is a good time to develop and implement such rules at this time. In this case, they will be the basic guidelines adopted to address the needs and goals set by the crisis staff. They will be supplemented when normal business operations are restored.
Minimal security requirements
If remote work involves the use of their own devices by employees, it is worth updating employees' knowledge of the basic principles of dealing with information, as well as specifying / recalling the minimum security requirements for the devices and networks they use.
Eliminate the use of free tools
Free tools, such as e-mail or popular messengers, do not provide an adequate level of data protection and are usually not intended for business use. The employer should instruct employees which communication channels (messengers, platforms, etc.) they accept for this purpose.
Education and awareness raising
Awareness and training is best done before a crisis, but if you are already in it, it is worth to include information about the risks to personal data in the established channel of crisis communication with employees. For example, it is worth making employees aware that in the coming days they may be particularly vulnerable to, for example, a phishing attack hidden under "clickable" information about coronavirus (scammers used for this purpose, e.g. SARS-CoV-2 spread maps), and what they should do in in this case (e.g. immediately inform the IT Department).
What to do, however, if the violation has already occurred, e.g. an employee lost the transferred documents, the network fell victim to a hacker attack or a power failure caused that personal data was lost? First of all, it should be remembered that it may be necessary to report the violation to the President of the Office for Personal Data Protection within 72 hours of finding the violation. The notification should contain, among others description of the nature of the infringement and its possible consequences. To this end, efficient communication with the employee will be necessary to properly assess the risk associated with the violation, and then provide the authority with all required information. In some cases, it may also be necessary to notify those affected.