The impact of GDPR on remote working

What elements of the General Data Protection Regulation (GDPR) do HR professionals need to think about when staff are working from home? Caroline Smith reports

Just 20 years ago, the idea of being able to work remotely seemed very far away. The systems used and slow internet connections meant it was nearly impossible to be productive. Today, vast improvements in technology mean that nearly everyone who works an office can work from home in some capacity, and the truly remote worker is on the increase. However, so too is our reliance on valued company data, which could be a potential target for data theft. 

Whether at home or in the office, as employees we are continually accessing data as part of our daily tasks. This always carries an element of risk, as any system will have a degree of vulnerability. However, remote workers may be using public networks to access data and will also at times move their devices into public spaces, increasing the risk of that device being mislaid (does anyone else feel fearful when travelling on public transport with their company laptop?). When working remotely it can be more difficult to not only track a data breach but also to identify/track how that breach has occurred.  

When a company has remote workers, it will always be on its mettle to ensure that information remains secure. The task HR professionals have is to ensure that any policies that are adopted around their employees balance the protection of data against the fundamental rights of the employee, including their right to privacy. That job is made all the more tricky by GDPR, which came in to force earlier this year. The GDPR vastly increases fines for any data breach, while also giving individuals far more rights over their personal data. With that in mind, do HR professionals need to revisit their current policies?

Many companies currently put in place workplace policies that allow employers to track employees usage of their devices (keystroke trackers) and their location. However, employees often use their devices to access both work and their personal life and that makes separating the two worlds very difficult. Without that degree of separation, the use of keystroke tracking technology could infringe the employees’ rights under GDPR, as such processing could be deemed as excessive and potentially disproportionate (though it is important to note this remains untested).

So the question the HR professional must ask themselves is whether there are other, less intrusive, ways to protect our data.

The answer is yes. Article 32 of the GDPR requires that all organisations use technological and security measures, and while there are no mandated methods, there is a list of items that are considered suitable, e.g. encryption of data. Data encryption means that only approved users can access a data set, meaning that if a laptop were lost, the data would not be accessible without the encryption keys/code.  

It is not always possible to encrypt all data and therefore use of the GDPR concept of ‘pseudonymization’ may be useful. Masking data by replacing identifying information with artificial identifiers means that only part of a data set is visible, and when done correctly it cannot be ‘rebuilt’.

Blocking access to personal email, on the grounds that personal email is unlikely to carry the correct technical and security measures and may lead to an Art 32 breach, may also be warranted.

While technology such as keystroke monitoring can be useful where you have remote workers, the fusing of private and work life can make the use of that technology on its own risky under the GDPR. HR professionals may want to explore alternatives, partnering with their Information Security team to evaluate current policies and to identity any sensitive data sets, which if exposed would create risk/vulnerability in the business. Once identified, measures may be taken and policies put in place, requiring encryption and/or pseudonymization, both of which are endorsed under the GDPR. 

Caroline Smith is associate general counsel EMEA and APAC at HireRight

Legal disclaimer: HireRight prepared these materials for informational purposes only. These materials are not intended to be comprehensive, and are not a substitute for, and should not be construed as, legal advice. HireRight does not warrant any statements in these materials. Employers should direct to their own experienced legal counsel questions involving their organisation’s compliance with or interpretation or application of laws or regulations and any additional legal requirements that may apply.