Home office equipment - including data protection
Corona is a catalyst of digitalisation. Employees are moving into the home office en masse. Lendis also provides comfortable office equipment at home, but what about data protection in the home office in your company? The most important facts on the subject.
Employers who were able to work from their home offices during the Corona crisis often quickly realised that there was a lack of comfortable and ergonomic office furniture. Employers often helped out by renting office furniture for employees and their home offices. However, only a few employees pay attention to the data protection regulations for the home office area.
Alexander Ingelheim, CEO of datenschutzexperte.de and certified data protection officer, explains what needs to be considered when it comes to data protection and home offices.
Lendis: In one fell swoop, employees in many companies had to move to the home office. What are the biggest security gaps here?
Alexander Ingelheim: The move to a home office caught many companies unprepared. It was still not all SMEs that were so digitally positioned that mobile working would have been the order of the day. One of the biggest mistakes that is always made when it comes to data protection and the home office is the mixing of private and business devices. Be it that private devices are used to access the business cloud or that private conversations are held on the business mobile phone. For example, a quick feedback to a colleague on an applicant via Whatsapp is problematic. It is well known that the destination of sensitive data is not traceable.
The use of private email accounts for business correspondence is also as big a data protection problem as the use of private storage devices for business data.
Lendis: Why is it problematic from a data protection point of view if data is quickly stored temporarily on a private storage medium?
Alexander Ingelheim: There are several reasons for this. The child's USB stick was perhaps in use for the last paper on the school computer, to which dozens of different storage devices were connected every day. Where these were before cannot be traced. Malware or similar can quickly creep in, which is then used on the business laptop there and, in the worst case, is introduced into the entire company IT infrastructure. This poses an enormous danger to sensitive (business) data. It also becomes a problem the other way round: If business data is stored on a private storage device - even if only briefly - and a family member borrows this very storage device, the control over the stored data is literally out of hand. This is a clear violation of data protection if there is personal data on the stick. To prevent these things from happening, clear data protection guidelines are also needed for the home office.
Lendis: So it makes sense for companies to introduce data protection security standards for home office work?
Alexander Ingelheim: Definitely! For mobile workplaces, there needs to be an explicit regulation that defines data protection standards. These standards must actually be defined before going into the home office and must be explained to all employees in a comprehensible way and given to them. These standards should above all prevent the two major data protection problems in the home office: Protected data gets out of the company into the wrong hands (this does not have to be malicious, we just heard it in the example above) or dangerous programmes get into the company. This also does not have to happen out of malicious interest, but usually happens much more often due to carelessness. There are ready-made data protection guidelines for home offices that can be adapted to your own type of company and given to your employees. On our website, for example, you can download such a draft. However, it is really important to go through these guidelines with all employees and explain them in a comprehensible way. Because a company's data protection is only as good as the employees have been trained in it. Our experts describe in the webinar on demand what you should pay attention to when it comes to data protection in the home office.
Lendis: What are some simple tips on how to reduce the data protection risk when working from home?
Alexander Ingelheim: If there is a data protection officer in the company, he/she must deal with this issue centrally, especially in the current situation. But of course there are standard measures that always apply. If employees only have insecure WLAN connections, these may of course not be used with business devices. In this case, it would make sense for the employer to provide an internet stick, for example. The minimum standard nowadays is to dial into the company network via VPN tunnels. In addition, the mixing of private and business hardware should be avoided at all costs. The data on the business laptop and the laptop itself must be encrypted. This also means that business devices must always be technically up-to-date. And a very important point that many companies often overlook: Just like onboarding, offboarding should also be prepared digitally so that ex-employees do not (accidentally) take their data with them.
Lendis: And what does that mean for the physical workplace?
Alexander Ingelheim: Of course, the home office must also be designed in such a way that data protection violations cannot occur. In concrete terms, this means that the screen must be locked when employees leave their home office. Children can also accidentally send emails with sensitive content. Furthermore, a privacy film for screens is very important. Especially in small flats, it can happen that the screen can be seen from the front door, for example. Postmen who open the door quickly have a perfect view of possibly important business data without a privacy film or locked screen. A privacy screen next to the desk can also help. These are also suitable for small flats.
If paper files are still used, a lockable document cabinet must also be available. Storage media or even the laptop itself - depending on whether there is sensitive data on it - must also be able to be locked away after work.
In order to be able to control all these measures - and employers are actually obliged to do so as data controllers - employers need permission from employees to enter the home, because the home is a protected space.
In order to maintain a general overview of the status of data protection in the company, it makes sense in times of digitalisation to also design data protection in a smart, transparent and digital way. With a solution like the data protection software Proliance 360, which was developed on the basis of 1,000 successful customer projects, it is possible to manage data protection holistically in the company.
Lendis: Thank you for the interview!
At our cooperation partner datenschutzxperte.de you will also find a checklist with the most important tips for implementing data protection in the company and further information on the topic of data protection-compliant work in the home office.