Technical and organisational measures in the home office

Many companies have spent the last few weeks adapting the structures in the company so that many employees can work in a home office.

However, you should also remember that working in a private environment increases the risks of secrecy and data protection breaches.

What technical and organisational measures must be taken in the home office?

In order to protect your company's know-how and to prevent data protection fines, you should ensure compliance with data protection requirements by taking certain measures.

This is because the technical and organisational measures for data security required by the General Data Protection Regulation (GDPR) must also be complied with in the home office. We have therefore compiled some technical organisational measures (TOM) that can contribute to compliance with the data protection requirements in the home office:

Technical measures

  • Establishment of a secure and fast broadband internet connection with encrypted access to the company network (e.g. VPN).
  • Installation of a virus scanner and a firewall that also updates and functions outside the company network
  • Setting a password-protected screen lock that automatically switches on after a certain time has elapsed
  • Encryption of the computer with an individual password to protect against unauthorised access by family members or other flatmates.
  • Encryption of e-mails, external data carriers and the company mobile phone
  • Ensuring access authorisation through certain authentication systems (e.g. through two-factor identification).
  • Carrying out regular automated updates of all software products
  • Data storage only on the company servers or central IT systems of the company
  • Introduction of strict rights management (only admin may install software)
  • Data backup on a central server, either on the company's own server or with a certified cloud provider in Europe.
  • Regulation and control of data backup, data security and all technical measures

Organisational measures

In order to implement the organisational measures, a security policy for the proper handling of personal data can be agreed with the employees. This can also include regulations on data destruction, security requirements, correct IT use, data transmission and communication methods. Furthermore, a commitment to data secrecy and an audit questionnaire should be completed.

Further examples, without claiming to be exhaustive, are listed below:

  • Training to raise employee awareness and familiarise them with home working (Should be done by or with the data protection officer).
  • Instructions on passwords and data security
  • Provision of company equipment such as laptops or mobile phones. Private hardware should only be used in exceptional cases and only if appropriate agreements are in place.
  • Documentation of the issue of the hardware to the employees
  • Agreements prohibiting the private use of company hardware or the connection of private data carriers and other devices
  • Setting up call diversion, instructions for reporting data breakdowns
  • Clean Desk Policy

Enforcing the measures outlined above enables compliance with data protection in the home office and thus reduces the risk of data protection breaches.

In addition, there are a number of other detailed problems in the implementation of home working. For example, according to the Act on the Protection of Business Secrets (GeschGehG) and according to the employment contract regulations in the company, it may be that further measures and agreements have to be taken into account for the home office. We will be happy to assist you in these areas as well.

Talk to us.

GoldbergUllrich Attorneys at Law

Attorney at Law Michael Ullrich, LL.M. (Information Law)

Specialist lawyer for information technology law

Seal