The General Data Protection Regulation (GDPR) entered into force in the EU in May 2018 to better protect individuals when companies use their data.
But the COVID 19 pandemic caused new problems, including compliance in the era of teleworking. We spoke with Brendan Kiely, CEO and co-founder of ThinScale Technology, a company specializing in secure technologies for remote operations, to discuss the impact of GDPR and the new standard situation.
BN: What rules can companies follow to remain compatible with BBPR in a remote working environment?
BC: It depends on what the company does and, more importantly, how it collects and uses the data. Attention should also be paid to the region in which they collect data, as several EU countries may have specific data protection rules in addition to the standard GDP requirements.
- In essence, GDP consists of 7 principles:
- Legitimacy, honesty and transparency
- Target limitation
- Data minimization
- Accuracy of data
- Memory limitation
- Honesty and confidentiality
- Accountability and compliance
BN: Are technical solutions, such as traffic coding or the use of VPNs, necessary?
BC: Yes, the technology must be used to enforce compliance with standards within organizations. Encryption and VPN are basic requirements today, in some cases they are not even sufficient to ensure compliance. Companies need to find out how workers can access data and restrict access until the risk of data loss is eliminated.
BN: Is it safe to let employees work at home with their own equipment and what steps can be taken to ensure compliance?
BC: Absolutely. Not only is BYOD for Homework a very cost-effective model, but with the right solutions on an employee’s device, the endpoint can meet compliance standards. As mentioned above, it is essential that these terminals are limited, which means that employees cannot access unauthorized applications or dangerous websites and cannot store anything locally. The management of terminals should also be centralised to ensure that applications and security policies are regularly updated.
Each off-site endpoint should be considered in the context of the possibility of accessing harmful substances. This can be an employee or a person who has access to the apartment where the machine is located. Whether it is a personal machine or a company machine, it is therefore necessary to block it so that the data cannot be deleted.
BYOD is based on the principle that it is consistent when a user accesses the business environment via a VPN. However, no account is taken of an attack on the computer before the user logs in. We’ve seen cases where keyloggers were accidentally loaded some time ago before they gained access to the VPN. After access, the references were forwarded to the wrong agent.
In order to be compatible with the GDPR, the user’s computer must therefore be fully locked.
BN: Is there a need for more extensive training, e.g. in security, to ensure continuous data protection?
BC: Yes, the reality is that every organization should be aware of this privacy policy. DPOs are large, but small companies don’t really need them and often don’t need them either (depending on the company’s activities, of course). It is therefore essential that workers are made aware of the rules of the Convention on Forced Labour.
This is all the more important in this context. The number of data leaks, of which many employees know nothing, has increased considerably. I want to encourage organizations to be more open with their employees on this topic and to give concrete examples of the impact this topic has on companies and customers.
BN: What are the biggest challenges for companies in terms of scalability and security?
BC: The biggest challenge now remains working from home and adopting it as a new standard for business continuity. This is a new standard, but people still see it as a temporary solution instead of a safe, scalable solution. The WaH environment is now subject to special safety compliance checks, and we are starting to see these checks again. In addition, we can expect other regulators to do the same when PCI DSS updates its compliance requirements. The original pandemic allocation has disappeared and companies that have been given temporary public health solutions now need to think about how to make the environment safer.
We have to admit that the way we organise our business has changed, and not only in the short term. I don’t think the office is superfluous, but in the post-COVID world we expect at least 40% of employees to work permanently from home, with hybrid models becoming the norm. This will have far-reaching implications for data security.
Photographic credits : Nicola Stanisik / Shutterstock
Related Tags:
gdpr remote working policy template,ico working from home,shopify remote work twitter,bloomberg employees work from home,is gdpr optional,gdpr keywords,gdpr remote working policy,consumer data privacy,data privacy articles,data privacy issues,data privacy definition,data privacy laws,data privacy facebook,which privacy incident can jeopardize our gdpr compliance,gdpr working from home policy,data protection while working from home,gdpr compliance 2020,gdpr website compliance,gdpr for companies
