According to experts, businesses complying with the GDPR have less and less difficulty in keeping track of their risks, and therefore, in this context of confinement, to work properly. Travel companies with already well established GDPR compliance reported easier transition to teleworking when all, or most, of their employees, started working from home.
In Europe, remote work takes place in a specific legal context, since it is a particular way of working which does not change the relationship between employer and employee, except in the workplace. The law also requires an agreement to be signed between the company and the employees for remote work to be carried out.
“Setting up this agreement makes it possible to define in a very simple way the modalities for remote work, such as the provision of equipment, safety rules or rules of good conduct to be respected. A set of points that are also addressed by the GDPR,” explained Michel-Emmanuel de Thuy, Digital Partner at 99 Advisory, a consultancy firm specializing in the GDPR compliance of companies.
Travel companies and other business had to face a number of issues when the confinement was launched in many countries. Should the employees be allowed to use their workstations at home? “Until a recent relaxation of the law, they were not allowed to use their desktop PCs at home because of the high level of confidentiality of the information they handle,” said Mr. de Thuy. The issue of working hours and the right to disconnect have also been important considerations in the implementation of remote work.
In terms of professional exchanges, companies use platforms such as Zoom or WhatsApp. In France, the CNIL (National Commission on Informatics and Liberty) has identified certain tools that it advises against using for the security risks they entail. It is clear that the GDPR compliance, which aims to optimize internal data management policies, raises issues common to the implementation of remote work.
“Travel companies that have already thought about these issues before therefore had a much easier time suddenly implementing remote work,” said Mr. de Thuy.
One of the crucial topics for many businesses is safety. In finance, for example, where many transactions take place, the security of exchanges is obviously the main issue. This is where the role of the Data Protection Officer (DPO) or the GDPR compliance team is very important. The mission of the person or the team is to monitor the company's data, evaluate it within the framework of the GDPR and assign the necessary level of risk or confidentiality.
This exercise makes it possible to know which data is expected to be highly secure and thus to better supervise the practice of remote work.
“Obviously, financial data used to book a trip - bank card, security key - are very important, but other types of data, such as health data, also need to be processed in a secure way,” explained Mr. de Thuy.
Although there is always a risk of cyber-attacks, the employee's home working behavior is the first risk that companies face. They must ensure the security of the equipment provided for remote work by checking that VPNs, antivirus software and documents, for example, are kept up to date. In the end, it is a question of good IT practices.
It is recommended that the company provides a good conduct guide for remote working employees. Not letting their family use their professional workstation is one of the good examples to follow in order to avoid serious consequences. The company should also follow some rules, such as forbidding its employees to use their personal computer to connect to the company's professional network.