Many companies have spent the last few weeks adapting their internal structures to enable numerous employees to work from home.
However, you should also consider that working in a private environment increases the risks of trade secret protection and data protection violations.
Which technical and organizational measures must be implemented in the home office?
To protect your company's know-how and prevent data protection fines, you should ensure compliance with data protection requirements through specific measures.
Because even in a home office, the technical and organizational measures for data security required by the General Data Protection Regulation (GDPR) must be observed. Therefore, we have compiled some technical and organizational measures (TOM) that can contribute to compliance with data protection requirements in the home office:
Technical Measures
- Establishment of a secure and fast broadband internet connection with encrypted access to the company network (e.g., VPN)
- Installation of a virus scanner and a firewall that updates and functions even outside the corporate network
- Configuration of a password-protected screen lock that automatically activates after a specified period of inactivity
- Encryption of the computer with an individual password to protect against unauthorized access by family members or other cohabitants
- Encryption of emails, external data carriers, and company mobile phones
- Ensuring access authorization through specific authentication systems (e.g., via two-factor authentication)
- Implementation of regular automated updates for all software products
- Data storage exclusively on corporate servers or the company's central IT systems
- Implementation of stringent rights management (only administrators are permitted to install software)
- Data backup on a central server, either on the company's own server or with a certified cloud provider in Europe.
- Regulation and control of data backup, data security, and all technical measures
Organizational Measures
To implement organizational measures, a security policy for the proper handling of personal data can be agreed upon with employees. This policy can also define regulations for data destruction, security requirements, correct IT usage, data transmission, and communication methods. Furthermore, a data secrecy commitment and an audit questionnaire should be completed.
Further examples, without claiming to be exhaustive, are listed below:
- Training sessions to raise employee awareness and provide instruction on remote work (should be conducted by or with the data protection officer)
- Instructions regarding passwords and data security
- Provision of company devices such as laptops or mobile phones. Private hardware should only be used in exceptional cases and only when appropriate agreements are in place.
- Documentation of hardware issuance to employees
- Agreements prohibiting the private use of company-owned hardware or the connection of private data carriers and other devices
- Setup of call forwarding, instructions for reporting data breaches
- Clean Desk Policy
The enforcement of the measures outlined above enables compliance with data protection in the home office and thus reduces the risk of data protection violations.
Furthermore, there are several other detailed issues in the implementation of remote work. For instance, additional measures and agreements for the home office may need to be considered under the German Trade Secrets Act (GeschGehG) and company employment contract regulations. We are also happy to assist you in these areas.
Please contact us.
GoldbergUllrich Attorneys at Law
Attorney Michael Ullrich, LL.M. (Information Law)
Specialist Attorney for Information Technology Law
