The General Data Protection Regulation has been in effect since May; however, the full impact and implications of GDPR are still to be seen and understood. Although companies around the world have been preparing for the new regulations for years, it is estimated that as many as 80% of affected organizations will fall short of the legislation’s data protection requirements. So it’s important to continue assessing risk and making necessary changes to ensure compliance.
The implications of GDPR on remote workers is an area of unique concern, and one that likely didn’t receive the same attention as in-office employees. As the rate of remote, flexible, and contingent workers is on the rise, however, companies will benefit from investing time in understanding the associated risks and putting policies in place to mitigate them.
Defining and addressing the specific risks around remote workers remains a challenge, not only because of the broad reach of GDPR but also because many of the finer details are yet to be clarified. For example, what is the responsibility of a US-based organization collecting or processing the data of an EU citizen who lives and works in America? What happens when that individual travels to the EU for a visit and works from a laptop or just checks work email on their phone?
It’s impossible to foresee and plan for every variation of this scenario, which really means that to maintain compliance with GDPR, companies must account for all possibilities. Three aspects of remote working, in particular, must be addressed to adequately manage risk and also demonstrate to regulators that your organization has taken necessary steps to meet requirements.
1. Device Security
Incredible advances in technology have made it possible for colleagues in different parts of the world to collaborate as if they’re in the same room, enabling increasingly more employees to regularly work from home or while traveling. Despite the many benefits for both workers and employers, remote working arrangements invariably increase risk when it comes to data security.
Laptops, tablets, and phones used remotely aren’t always protected by the same security measures in place within an office. These devices are also at a higher risk of being lost or accessed by unauthorized users—at which point, because the device is not physically present, determining the time, extent, and method of any data breach can be exceedingly difficult. Companies can reduce the risk to protected data by using encryption and remote management of devices, including mobile phones. Additionally, all devices should be kept up to date with the latest software, particularly company-installed anti-virus software. For essential functions like HR and global payroll, using a cloud-based system, in which personal data is managed from a central database rather than on individual devices, can help ensure critical information stays protected. Such systems also allow for granular access controls by user function, business need, and even location—which can significantly reduce the risk of data exposure in remote devices.
2. Information Management
In the lead-up to GDPR, it’s likely that your organization issued updated guidelines for information management within your office. Everyone probably completed a formal training on the new procedures, whether in a group setting or independently online. However, it’s equally unlikely that the new guidelines fully accounted for the challenges of managing important data outside of the office.
To account for the inherent risks in managing protected data remotely, it’s crucial for organizations to set clear guidelines around what information should never leave a secure environment and to establish access permissions that support those policies. Every worker should have easy access to a written security policy that explains the responsibilities of employees and clearly states what they are and are not allowed to do regarding data—and all workers should verify that they have read and understood the policy.
3. Policy Awareness
Key to understanding—and thereby abiding—company policies in support of GDPR compliance is being aware of the legislation and its scope. While everyone impacted surely knows the basics of GDPR, it’s a different expectation that every employee will understand why compliance with the legislation is so important. For companies and employees within the scope of GDPR, the control individuals now have over their personal data is unprecedented in the digital age. And it benefits both workers and their employers if everyone fully understands their rights and responsibilities under GDPR.
Within the office setting, compliance goals can be embedded into the company culture by enforcement of a clean desk policy or even visual reminders throughout the office, so that compliance becomes an automatic consideration of employees. Remote workers, however, don’t get the benefit of those reinforced cues. And for employees who travel often, the additional security concerns around moving data and devices through public spaces probably aren’t discussed in the office. For remote or contingent workers who are new to the company, GDPR awareness may be as minimal as an onboarding slidedeck.
Consistency for Compliance
The way to achieve a compliance mindset for all employees, especially those working remotely, is for companies to adequately, consistently express the importance of data security. Putting the right access and management controls in place is essential, but reaffirming the significance of them is equally important. For companies using an optimized cloud-based payroll system with configurable workflows and traceability measures, compliance cues can become part of the process for all workers using the system.
The language of GDPR has brought about a sea change in how companies and individuals view personal information, data protection, and even consent. Helping employees understand what that change means in terms of how their own information is collected and processed in various areas of their life can also help them better understand the need to adhere to compliance policies at work—wherever that work may take them. Through ongoing review and training, and by implementing systems that affirm compliance measures and prioritize data security, business leaders and managers can help their workforce better support compliance needs for GDPR and any regulations to come.