What do you need to know about data protection when working from home?

What do you need to know about data protection when working from home?

To contain the COVID-19 pandemic, companies are forced to let their employees work from home. Working from home is not only an organizational challenge but also raises data protection issues. 

Whether in the office or at home, companies must protect the data they process. However, data protection legislation does not prescribe which specific measures are to be taken. Rather, each company is required to determine the appropriate protective measures based on the data processed and in consultation with its data protection officer. The processing directory to be maintained by companies of any size offers important guidance.

If the data processed includes sensitive data - especially health data - high protection measures must be taken. From a technical point of view, it is advisable in this case to work exclusively via a virtual private network (VPN). Here, an employee works from his home office on the hopefully well-secured company network. This eliminates the risk that the poorly protected home Internet connection becomes an entry point for hackers.

Data protection in the home office - the risks:

If a company does not provide its employees with a VPN connection, it should at least encourage them to protect their WLANs with a WPA2 password. Default passwords are easy to find on the Internet. They therefore do not offer sufficient protection. Companies are also advised to provide their employees with a list of tested software (e.g. for video conferencing) that makes working from home easier. Otherwise, employees will look for suitable software themselves. This will not always comply with data protection regulations. 

However, purely technical means are not sufficient to enable employees to work from home in a data-compliant manner. It is also advisable for employers to conclude an agreement with their employees on working from home. In addition to the technical measures that employers can require their employees to take, they should also lay down practical guidelines for working from home: Must the employee sit alone in a room when working? How should he work if there is no separate room available? And how should documents be disposed of? If they contain personal data, they are off-limits. 

Since an employee's home is still a legally protected place of retreat even if he or she is working there, employers should have access rights, e.g. to maintain IT equipment or to check compliance with data protection regulations. Of course, visits must be limited to necessary cases and must be announced in advance.

However, the legal implications of the home office are not limited to the need for a home office agreement. As always, the data protection documents that every company has to maintain must be kept up to date, e.g. the (already mentioned) data processing directory and the documentation of the technical and organizational measures. Information relevant to the home office (e.g., the use of a VPN or the instruction to work in a separate room) should be included in these documents. In 2020, the data protection authorities were reluctant to pursue data protection violations in the home office, but the tide may have turned. COVID-19 and the associated move to the home office for many companies is (unfortunately) no longer a novelty. Fines are looming. Companies that have not yet reacted to home office work from a data protection perspective should start doing so now.