As governments across the globe continue to tighten legislation concerning privacy and data protection, with examples including the EU-US Privacy Shield, Swiss-US Privacy Shield, GDPR and Brexit, this remains a top concern for companies of all sizes as they struggle with staffing, processes, and the technology to manage their global privacy and data protection programs. Indeed, the Organic Law on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), commonly known as the Data Protection Law, continues to be a pending issue for many companies. Proof of this can be found in the report entitled Privacy Insights 2021, published by the consulting firm BDO Global.
The changes caused by the COVID-19 pandemic has put many organizations in check when it comes to compliance with data protection. The consolidation of new work models, such as remote work, have had a direct impact on the increase in investigations and procedures by the AEPD and other data protection agencies, related to the data misuse and breaches.
Therefore, below, we share a series of recommendations made by the AEPD, on how the data protection policy should be applied by companies with mobile and remote workers.
Do you want to implement remote work in your company and ensure data protection compliance? Click here for a free consultation.
DATA PROTECTION: GUIDING PRINCIPLES FOR THE PROCESSING AND STORAGE OF PERSONAL DATA
The LOPDGDD, which came into force on December 6, 2018, aims to replace the old Organic Law 15/1999 on the Protection of Personal Data and adapt Spanish legislation to European regulations, in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, General Data Protection Regulation (GDPR).
The LOPDGDD includes a whole series of articles and additional provisions, in order to establish a regulatory framework on data protection, which provides legal certainty to natural persons, with regard to the processing and free circulation of their personal data, and guarantee digital rights.
In addition, this law establishes a series of principles, also included in Regulation (EU) 2016/679, which must be taken into account in the use, processing and storage of personal data.
1. Data accuracy
The data must be accurate and, if necessary, updated, in relation to the purposes pursued.
2. Integrity and confidentiality
Those responsible and in charge of data processing, together with all those involved in this process, will protect data from any risk that threatens its security, including unauthorized or illegal processing, loss, destruction or accidental damage.
3. Legality, transparency and loyalty
Personal data will be processed only when there is a legitimate purpose, informing the interested party in an open and transparent way.
4. Purpose limitation
The processing of personal data will be limited to the specific, explicit and legitimate purpose for which they were collected, their subsequent processing being prohibited, regardless of said purpose.
5. Data minimization
During the data collection process, only those that are strictly necessary should be requested.
6. Limitation of the conservation period
Data preservation will be limited in time, depending on its purpose. Once the period has been reached, the data will be erased or, at least, devoid of any element that allows the interested parties to be identified.
The person responsible for processing personal data, who is a natural person, legal entity or public authority in charge of deciding on the processing of the personal data of the interested parties, must determine the specific conservation period. However, the AEPD itself establishes some suggestions by way of example related to the periods of conservation of personal data.
7. Proactive accountability
The principle of proactive responsibility, also known as ‘accountability’, indicates that the person responsible for the processing of personal data will apply all the necessary technical and organizational measures to guarantee that the processing of personal data complies with the regulation.
Article 2 of the LOPDGDD establishes that the aforementioned principles are applicable to “any fully or partially automated processing of personal data, as well as to the non-automated processing of personal data contained or intended to be included in a file”.
Consequently, the application of data protection regulations in companies will be mandatory in any case, since all of them usually process data, whether it be from customers, suppliers or employees or any other figure for the development of their activity.
Likewise, the GDPR establishes the specific requirements for companies and organizations regarding the collection, storage and management of personal data. So that:
The GDPR does apply when:
- The company processes personal data and is based in the EU, regardless of where the data is processed.
- The company is based outside the EU, but processes personal data related to offers of goods or services to EU citizens or monitors the behavior of EU citizens.
Companies that do not have a headquarters within the EU and that process data of EU citizens must appoint a representative in the EU.
The GDPR does not apply when:
- The person concerned has died.
- The interested party is a legal person.
- Data processing is carried out by a person who acts for purposes unrelated to their commercial, business or professional activities.
RECOMMENDATIONS OF THE AEPD FOR THE PROTECTION OF PERSONAL DATA IN SITUATIONS OF MOBILITY AND REMOTE WORK:
The person responsible for the processing of the organization’s data, as well as mobile and remote workers, whether of a general or exceptional nature, must take into account a series of recommendations to protect personal data, to the same standard as if they performed their work in person, and in accordance with the GDPR and LOGPDDD.
Recommendations for the data controller
1. Determine a data protection policy, in mobility situations
This data protection policy must include:
- The needs and risks of access to corporate resources from spaces outside the control of the organization.
- Remote access modalities, type of devices and level of accessibility, depending on the profile of each employee.
- Responsibilities and obligations of employees.
- Threats that can affect remote workers and possible consequences when they do not comply with the recommendations provided by the organization.
- Provide informative guides to employees who must collect at least the information contemplated in the AEPD document “Recommendations for personnel participating in processing operations”.
- Contact channels and formats for workers to communicate any type of incident that affects personal data.
- Remote workers must sign an agreement with the commitments acquired when carrying out their activity while on the move.
2. Specify reliable and guaranteed solutions and service providers
- Remote work applications and solutions will be used with sufficient guarantees to avoid the exposure of personal data, interested parties and corporate services of the organization.
- If employees access personal data, they will be considered data managers, through a contract or legal act that links them with the person in charge.
3. Restrict access to information
- Depending on the role or level of access to information of each employee.
- Application of restrictions, depending on the location and device from which the information is accessed.
4. Periodically configure the equipment and devices used in mobile situations
The remote access servers must be correctly updated and configured, to guarantee compliance with the data protection policy:
- Updated operating system, applications and antivirus.
- Disable unnecessary services.
- Configuration of least privileges.
- Only applications authorized by the organization shall be installed.
- Information encryption mechanisms.
- Have a local firewall activated or only activate the communications and ports necessary to carry out the professional activity.
- If the use of personal devices is allowed, minimum requirements will be required for their use.
5. Monitor accesses to the corporate network from outside
- Establish monitoring systems to prevent the spread of malware through the corporate network and the unauthorized access and use of resources.
- Communicate the security breaches that affect personal data to the Control Authority and / or interested parties.
- Inform staff about the existence and scope of control and supervision activities, which can be used to verify compliance with labor obligations.
- Periodic review of the configuration defined to access resources remotely.
6. Rationally manage data protection and security
- The measures and guarantees established will be based on prior analysis of the risks.
- The policy should contemplate the internal procedures to provision and audit remote access devices, administration and monitoring procedures, services provided by managers and the way in which the policy is reviewed and updated to the existing risks.
- Limit access to resources, depending on the risk of loss of the device, exposure or unauthorized access to the information handled.
- Plan and evaluate remote access applications and solutions, based on privacy principles.
Recommendations for personnel involved in data processing
All recommendations addressed to the organization’s staff must be included in the remote work policy, with reference to the remote work agreement, and adapted to the tasks to be carried out.
1. Respect the information protection policy in mobile situations, defined by the person in charge
All the measures and recommendations contained in the guidelines and data protection and information security policy, in mobile situations, defined by the organization, as well as the other rules and procedures, must be complied with.
2. Protect the mobile device used and access to it
- Use robust access passwords different from those used in the personal sphere.
- Applications or software should not be downloaded or installed without prior authorization from the organization.
- Avoid connecting devices to unsecure open WIFI networks and to the corporate network, from public places.
- Protect the defined authentication mechanisms (passwords, certificates, two-factor systems, tokens …) to be validated in the organization’s remote access control systems.
- The corporate equipment must not be used for private purposes.
- If the equipment used to establish the remote connection is personal, a separate profile will be defined for the work activity.
- The antivirus system installed on the computer must be operational and up-to-date.
- Verify the legitimacy of the emails received and distrust downloading attached files with unusual extensions.
- Verify the legitimacy of the emails received and distrust downloading attached files with unusual extensions.
- To end the workday, the remote access session should be closed and access to the device turned off or blocked.
3. Guarantee the protection of the information that is being processed
- Both in public places and in the domestic environment, the necessary precautions will be taken to guarantee data confidentiality.
- The entry and exit of documents will be reduced or avoided during mobile work.
- Information on paper cannot be discarded without guaranteeing its correct destruction.
- Do not leave any information medium in the place where you work remotely, and sessions should be blocked on the devices when they are unattended.
- Avoid exposing the screen to the gaze of third parties. In the case of working in a public place, it is recommended to use a privacy filter for the screen. Prevent third-party conversations from being overheard, to do so, use headphones or be in a space without company.
- Prevent third-party conversations from being overheard, to do so, use headphones or be in a space without company.
4. Save the information in the enabled network spaces
- During the mobility situation, use will be made of shared or cloud storage resources, compared to local storage.
- If the use of personal equipment is allowed, applications that are not authorized in the entity’s policy will not be used to share information.
- The corporate backup policy defined for each device should not be blocked or disabled.
- Periodically review and eliminate residual information that may be stored on the device.
5. Suspecting that information may have been compromised, a security breach shall be communicated immediately
- Any anomaly that affects data security will be notified to the person in charge, through the indicated channels and as quickly as possible.
- For any matter that poses a risk to data protection and access to corporate resources, the employee will consult the Data Protection Officer and the person responsible for information security, or the person designated for this role.