How does remote working impact GDPR?
With the recent pandemic and a lot more businesses encouraging working from home, how does remote working impact GDPR risks?
GDPR (General Data Protection Regulation) became enforceable 25th May 2018 replacing the 1998 Data Protection Act.
If you haven’t heard of GDPR by now, then as a summary, GDPR is a compliance regulation to manage how businesses handle and process data. Protecting data is the key objective, specifically Personal Identifiable Data. Personal data is information that relates to an identified or identifiable individual. – check the ICO website for more information https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/
How does this relate to remote working?
Your data, your database, your contact list… How are users accessing it remotely? Is access to the data encrypted? Is the device syncing this data encrypted? Are accounts protected with MFA/2FA? Do they have appropriate protection?
It is your data as a business and ultimately your responsibility to protect it.
The penalties for data breaches are calculated under two tiers:
- Up to €10 million, or, in the case of an undertaking, 2% of annual global turnover – whichever is greater; or
- Up to €20 million, or, in the case of an undertaking, 4% of annual global turnover – whichever is greater.
How should I protect my data and the remote working impact on GDPR?
Protecting any account regardless of GDPR, with MFA/2FA is highly recommended. Do you feel safer using a pin-entry system or text message code when accessing your online banking? Thought so… So introducing a second layer of authentication to protect your emails, data or account through a text message or App makes massive sense and offers peace of mind. Cyber threats are huge and becoming more and more sophisticated, protection of accounts with just a password isn’t enough anymore.
Microsoft OneDrive / SharePoint Online is a fantastic solution for Cloud Storage. As a platform it enables great mobility and collaboration options as part of the Office 365 suite, but are you protecting the data?
Adding MFA/2FA to the access and login process, certainly adds protection to accessing the data through the web and to the ability to sign into the OneDrive client, but what happens beyond the initial login process?
The likelihood is that users save the password for the web interface and allow the remembering of this device for a period of time and also sign into OneDrive and download all of the data to their machine.
Issues arise at this point!
The machine, is it a business computer? Does it have anti-virus/anti-malware protection? Does it have a firewall installed? Does it have DISK ENCRYPTION with a passcode enabled??
Hopefully Business laptops have been setup with the relevant protection and policies in place, but in the current work from home climate and cloud accessibility scenario’s the risks are greater than ever.
What happens if a user accesses everything on their own laptop (work or business) and it isn’t protected, but then it is stolen\lost\deceitfully accessed?
Without disk encryption the data is easily accessible. What if your business OneDrive is synced Locally?
Putting the Hard Disk in a Caddy, resetting a user password or creating a new admin user on a machine is easy.. A few minutes work!! The data is easily compromised!
Disk Encryption with PIN adds protection and without a decryption key and/or PIN number the disk and more importantly the data on it would be inaccessible, without being able to crack the Recovery Key and/or PIN.
When Disk Encryption (Bitlocker or other solutions such as ESET Endpoint Encryption) is enabled the Decryption Key is 48 digits long (Bitlocker currently), which would take years to decrypt with current technology.
What happens if a user leaves the business having synced business data through OneDrive?
This is the risk of a non-policy, BYOD (Bring Your Own Device) world. How are you protecting data on non-business machines and how can you ensure it is removed upon employment end? These are the considerations that need to be considered. Remote working, fantastic, the technology gives us this flexibility, but how do you undo it? How do you stop data access, especially PID?
So how does working from home impact GDPR?
If your users are using business laptops with the security measures mentioned here, then protection is greater against loss compared to a personal user laptop that may not have the necessary security, account protection and encryption. Your business data is vulnerable to breach and the penalties are High!
The pandemic has without a doubt pushed businesses to remote working and rush deploying remote accessibility and file access, but the consequences of not introducing or implementing the correct security measures and procedures could be devastating. Penalties and fines are huge, imprisonment a possibility and the cost of implementing policy, procedure and protection is a snip in comparison. Do it right, do it once.
If you are in need of IT Support, advice on securing your Data or Remote Access / Working technologies we are available to assist. Contact Us