The COVID-19 pandemic has forced employees to transition their working operations across sectors into home offices. This in turn, may be more than just a temporary shift in work location. According to a survey performed by BCG among the 1200 respondents, many companies with more than 100 employees plan to expand the concept of home office in the near future. However, working from home office environments not only has its advantages but also a bunch of major challenges. One of the main concerns is the data protection principle. In other words, how can organizations ensure that the requirements of the GDPR are met when working at home?
Subsequently, the fundamental challenge of data protection in the perspective of home office is outlined in a simple argument as follow: “If an organization permits its employees to operate in the home office, it must be able to guarantee data protection mechanisms and levels at home also”
Accordingly, there are three main issues that need distinct attention in this context:
· The family environment: Employees must remember that they are not allowed to simply expose or make accessible documents containing personal data or business or trade secrets to their spouses, children or visitors.
· Destruction of documents: Notes that are no longer need automatically end up in the paper trash at home. If they contain sensitive personal data, however, they must be shredded.
· Access to the Internet: Employees must connect securely to the employer’s servers (mostly via VPN) and a secure WLAN.
However, if there is a data protection violation in the home office, for which data is lost, disclosed or deleted, the question of who remains liable quickly arises. The answer to this matter takes into consideration two liability factors:
· External liability: According to the GDPR, the “responsible body” is always liable. This is the “body that decides on the purposes of data processing”, so in this regard the organization itself as an entity.
· Internal liability: For the question of the extent to which the employer can take recourse against guilty towards its employees, the level of debt is decisive: Was the behavior slightly or grossly negligent? Is there even intent behind it?
Turning back to the question on what can companies do to prevent violations of data protection in the home office and the associated liability claims?
A central instrument in this context is work instructions or guidelines on the subject of home office, which become part of the contract. Companies can use it to lay down key points for working from home and thus alert their employees to data protection when working at home. In an emergency, a home office agreement also helps employers to at least partially take recourse against those responsible.
Organizations should pay attention to the following things, among others, in order to meet the requirements for data protection in the home office:
· A separate (lockable) workroom ensures (data) security, also from playing children. Especially if there is no such room, it is important to lock the PC during breaks and not to leave any documents open.
Therefore, the only significant challenge is raising employee awareness. If this is successfully conveyed on regular basis than organizations and employees themselves can enjoy the many advantages of working at home.