Corona is a catalyst for digitalization. Large numbers of employees are working from home. Lendis also provides comfortable office equipment at home, but what about data protection in the home office in your company? The most important facts on the subject.
Employers who were able to work from home during the coronavirus crisis often quickly realized that there was a lack of comfortable and ergonomic office furniture. In many cases, employers helped out by renting office furniture for employees and their home offices. However, few employees pay attention to the data protection regulations for working from home.
Alexander Ingelheim, CEO of datenschutzexperte.de and certified data protection officer, explains what needs to be considered when it comes to data protection and working from home.
Lendis: In one fell swoop, employees in many companies had to work from home. What are the biggest security gaps here?
Alexander Ingelheim: The move to working from home caught many companies unprepared. Not all SMEs were digitally set up in such a way that mobile working would have been the order of the day. One of the biggest mistakes that is repeatedly made when it comes to data protection and working from home is mixing private and business devices. Be it accessing the business cloud on private devices or making private calls on the business cell phone. For example, giving quick feedback to a colleague about an applicant via WhatsApp is problematic. It is known that it is not possible to trace where the sensitive data ends up.
The use of private email accounts for business correspondence is just as big a data protection problem as the use of private storage devices for business data.
Lendis: Why is it problematic from a data protection perspective if data is quickly stored temporarily on a private storage medium?
Alexander Ingelheim: There are various reasons for this. The child's USB stick may have been used for the last presentation on the school computer, to which dozens of different storage devices were connected every day. It is not possible to trace where these were beforehand. Malware or similar can quickly creep in, which is then used on the business laptop and, in the worst case, introduced into the entire company IT infrastructure. This poses an enormous risk to sensitive (business) data. It is also a problem the other way round: If business data is stored on a private storage device - even if only briefly - and a family member borrows this very storage device, control over the stored data is quite literally out of the company's hands. This is a clear breach of data protection if the flash drive contains personal data. To prevent this from happening, clear data protection guidelines are also needed for the home office.
Lendis: So it makes sense for companies to introduce data protection security standards for working from home?
Alexander Ingelheim: Definitely! Mobile workplaces need an explicit regulation that sets out data protection standards. These must actually be defined before employees start working from home and must be clearly explained and made available to all employees. These standards are primarily intended to prevent the two major data protection problems in the home office: Protected data getting out of the company and into the wrong hands (this doesn't have to be out of malicious intent, we just heard it in the example above) or dangerous programs getting into the company. This doesn't have to happen out of malicious intent either, but usually happens much more often due to carelessness. There are already ready-made data protection guidelines for working from home that can be adapted to your own company structure and given to your employees. You can download such a draft from our website, for example. However, it is really important to go through these guidelines with all employees and explain them clearly. After all, a company's data protection is only as good as its employees have been trained in it. Our experts explain in the webinar on demand what you should pay attention to when it comes to data protection in the home office.
Lendis: What are some simple tips on how to reduce the data protection risk when working from home?
Alexander Ingelheim: If there is a data protection officer in the company, he/she must deal with this topic centrally, especially in the current situation. But there are of course standard measures that always apply. If employees only have insecure Wi-Fi connections, these must of course not be used with business devices. In this case, it would make sense for the employer to provide an internet stick, for example. The minimum standard nowadays is to dial into the company network via a VPN tunnel. In addition, mixing private and business hardware should be avoided at all costs. The data on the business laptop and the laptop itself must be encrypted. This also means that business devices must always be technically up to date. And a very important point that many companies often overlook: Just like onboarding, offboarding should also be prepared digitally to prevent ex-employees from (accidentally) taking data with them.
Lendis: And what does that mean for the physical workplace?
Alexander Ingelheim: Of course, the home office must also be designed in such a way that data protection violations cannot occur. In concrete terms, this means that the screen must be locked when employees leave their home office. Children can also accidentally send emails with sensitive content. Furthermore, privacy film for screens is very important. Especially in small apartments, it is quite common for the screen to be visible from the front door, for example. Postmen* to whom you quickly open the door have a perfect view of possibly important business data without a privacy film or locked screen. A privacy screen next to the desk can also help here. These are also ideal for small apartments.
If paper files are still being used, a lockable document cabinet must also be available. Storage media or even the laptop itself - depending on whether it contains sensitive data - must also be able to be locked away after work.
However, in order to be able to monitor all these measures - and employers are actually obliged to do so as data controllers - employers need permission from employees to enter the home, as the home is a protected space.
In order to maintain a general overview of the status of data protection in the company, it makes sense in times of digitalization to make data protection smart, transparent and digital. With a solution such as the Proliance 360 data protection software, which was developed on the basis of 1,000 successful customer projects, it is possible to manage data protection holistically within the company.
Lendis: Thank you for the interview!
At our cooperation partner datenschutzxperte.de you will also find a checklist with the most important tips for implementing data protection in the company and further information on the topic of data protection-compliant working from home.
