Why businesses need to maintain GDPR compliance during remote working [Q&A]
The General Data Protection Regulation (GDPR) came into force in the EU in May 2018 with the aim of giving individuals greater protection over how businesses use their data.
But the COVID-19 pandemic has thrown up new challenges and remaining compliant with the regulations in an age of remote working is one of them. We spoke to Brendan Kiely, managing director and co-founder of secure remote working specialist ThinScale Technology to discuss the implications of GDPR and the 'new normal'.
BN: What rules can companies follow to ensure they remain GDPR compliant in a remote work environment?
BK: It is dependent on what the company does, and, more importantly, how they collect and use data. One also has to look at the region that they are collecting data from as different countries in the EU can have specific regulations on data protection on top of 'standard' GDPR requirements.
- At its base GDPR covers 7 principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Data accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability and compliance
BN: Is there a need to adopt technical solutions such as encryption of traffic or VPN use?
BK: Yes, technology must be utilized to maintain compliance standards within organizations. Encryption and a VPN now are baseline requirements, in fact in some cases they may not even be enough to guarantee compliance. Organizations need to drill down on how employees are accessing data and restrict them to the point where any risk of data leakage has disappeared.
BN: Can employees safely be allowed to use their own equipment when working from home, and what measures can be put in place to ensure compliance?
BK: Absolutely. BYOD for work at home is not only an extremely cost-effective model, but with the right solutions on top of the employee’s device, the endpoint can meet compliance standards. As mentioned before, it is vital that these endpoints are restricted, meaning the employee cannot access unapproved applications, unsafe sites, or save anything locally. The endpoints must also be centrally managed to ensure frequent updating of applications and security policy.
Any endpoint that is off-site must be looked at in the context of the possibility of a bad actor gaining access. This may be the employee or a person that has access to their home where the machine is located. So whether it is a personal machine or a company machine it is imperative that it is locked down in such a way that data cannot be removed from that machine.
With BYOD there is a view that if the user is accessing the company environment via a VPN that this is compliant. This does not however take into account an attack on the machine before the user logs in. We have seen instances where key loggers were inadvertently downloaded some time prior to accessing the VPN. Once accessed the credentials were passed to the bad actor.
It is therefore imperative that in order to be GDPR compliant the user's machine must be fully locked down.
BN: Is there a need for greater education, such as security awareness training, to deliver continued protection of data?
BK: Yes, the reality of it is every organization should be aware of these data protection regulations, DPOs are great but smaller companies realistically don’t need them and often aren’t required to have them (dependent on the company activity of course). So a push for awareness of GDPR's rules where relevant to employees is vital.
This is more important in the current context. There has been a marked increase in data breaches that a lot of employees are not aware of. I would encourage organizations to be more open with their employees about this and provide concrete examples demonstrating the impact on the business and the customers involved.
BN: What are the greatest challenges currently facing businesses in terms of scaling and security?
BK: Right now the major issue is still work at home and its acceptance as the new standard for business continuity. It is the new normal, yet people are still treating it as a stopgap, not a secure and scalable solution. Now WaH environments are falling under particular scrutiny when it comes to security compliance, we are starting to see these audits returning. Further, as PCI DSS are updating their requirements for compliance, we can expect other regulatory bodies to do the same. The initial pandemic allowance is gone, and companies who got by on rolling out temporary WaH solutions now need to look at how they can make their environment more secure.
We need to accept that the way we organize our businesses has changed and not just for the short term. Whilst I don't believe the office is redundant, in a post COVID world we predict that at least 40 percent of employees will work from home on a permanent basis with hybrid models becoming the norm. This will have profound impacts on data security.