Coronacrisis and teleworking: data protection, privacy and GDPR

To this end, it is advisable to take the necessary precautions and take into account existing legislation.

Below we list a few elements:

1. Data protection

First and foremost, it is important to acknowledge that with teleworking, certain data – temporarily - leave the company. Both physically and digitally, data are taken out of their normal environment.

For physical data, a good policy and the necessary awareness-raising of the employees are crucial. Make sure that employees know which documents they can take with them, how to deal with these documents  and try to keep track of which data are where.

With regard to digital data, which are undoubtedly more relevant in the context of teleworking, much depends on how they can be accessed and used at home. It is already common that e-mailboxes and cloud services can easily be used at home from a laptop or mobile phone.

In this context, it is always advisable to set up the necessary security measures to prevent unrestricted access to these data.

A good choice of passwords, multi factor authentication and limiting access to the data that are strictly necessary are always recommended. Further measures should also be considered, such as setting up a VPN connection to the corporate network and avoiding the use of free non-professional chat and cloud services (e.g. Whatsapp).

A good analysis of the risks associated with teleworking and how these risks are covered will therefore be the basis for avoiding later problems.

All this is of course easier to work out if the employees have a laptop from the employer, and where the arrangements for teleworking more than likely have already been worked out. If, on the other hand, employees work from their own device, it is important that additional security measures are taken and the necessary security is installed (e.g. antivirus scanner and mobile device management).

2. Awareness-raising of employees

While the technological support of teleworking is of course essential as a basis, the extent to which the security actually works depends mainly on the actions of the users.

Mistakes occur to a considerable extent due to inadequate and careless use on the part of the user himself.

An equally large part of the protection measures will therefore consist of raising the awareness of the employees. How should I handle the data I process at home? How do I recognise phishing emails? How do I regularly do virus scans? How do I know that there are new updates that I definitely need to perform?

There must be the necessary guidelines and obligations in this respect that are also adequately communicated to the employees.

Information sessions and the necessary additional tools and tips will ensure that the employee is aware of the dangers and pays the necessary attention to his digital traffic. Without the necessary awareness and caution on the part of the users, even the most secure network will run the risk of becoming the victim of viruses and exploits.

As always, any security system is only as strong as its weakest link.

3. Employee privacy

In addition to the protection of the data used, the privacy of the employees themselves must also be taken into account in teleworking.

Of course, because  the teleworker is away from the employer, this also limits the employer's control options.

However, the nature of an employment contract implicitly includes the right for an employer to control his employees in the performance of their work. A balance will always have to be sought between the privacy of the employees and the employer's right to control everything related to the execution of the employment contract.

When elaborating these control possibilities, it is therefore important to always bear in mind that the employees' privacy right also continues to apply in the case of teleworking. For example, there are specific guidelines for checking online communication data, for camera surveillance, the rules for home visits, etc.

In addition, indirect control measures are also possible (e.g. registration of hours worked, analysis of quotas) to which no specific legal rules apply and to which the general employment law principles are invoked.

4. Don't forget the GDPR!

No doubt personal data will also be processed as a result of teleworking (and when implementing measures in the context of the corona crisis).

As soon as personal data are processed or checked during teleworking, the General Data Protection Regulation (GDPR) must be observed. This Regulation has been in force for almost 2 years.

While many companies have already taken significant steps within their data processing policies and all the obligations and principles that must be applied, for many it still remains a continuously evolving process to be and to remain compliant.

The current Coronavirus period is therefore the ideal time to further monitor the measures taken in this respect and GDPR compliance. After all, this legislation is an (important) extension of general data management.

It goes without saying that Seeds of Law can always assist you in this respect. You can contact us via info@seeds.law or +32 (0)2 747.40.07.