How to make your home office GDPR-compliant
Since the arrival of covid-19, companies have begun to embrace the home office concept. More and more businesses are choosing to allow their staff to work from home even after the crisis. This goes hand in hand with an increased awareness regarding GDPR-compliant working: as soon as the work involves personal data, certain regulations must be observed. Just because you’re working from home doesn’t mean you can change how you handle personal data. So, data protection is also relevant in your home office, and that brings responsibilities.
Personal data – what are they?
Personal data is all data that is or can be assigned to a living natural person. Anyone who stores and/or processes such data is obligated to protect them.
Spatial design is crucial to data protection in your home office
GDPR requires that third parties have no access to personal data or technical equipment. If you live in a shared flat, with a partner or your family, you must take measures to ensure that other members of your household have no access to your work data:
• Use a separate, lockable room for work. • In addition, you should store any documents or data carriers in a lockable cabinet.
• Do not leave documents with personal data on the kitchen table.
• Do not make work-related phone calls on the patio in the presence of family members or friends if it is evident from the conversation who you are talking to about whom.
• Agree “do not disturb” times so that no one can accidentally peek at your screen.
• Visualise your daily schedule, e.g. on a white- or cork board.
• Use Dahle MEGA magnets and self-adhesive magnetic tape to indicate your availability to family members on the door frame (e.g. a cross for “Do not disturb”, a circle for “Available”).
Compliant thanks to technical equipment
Alongside company-owned devices, you can also use personal end devices for work. That can be handy (you know how the devices work and don’t have to get used to or learn to use new ones), but it’s not without its problems: using your personal devices for work creates security risks and data protection issues in your home office. Aside from the blurring line between professional and personal life, you should prevent risks as follows:
• Encrypt your end device in a GDPR-compliant manner using software your employer provides, or only access corporate data via a web interface. Additionally install up-to-date protection software from your company on your end device, or store the data in a separate, specifically encrypted area; this will prevent them from being stolen from your end device.
• To avoid vulnerabilities, only use current operating systems approved by your company. One possible alternative are virtual operating systems provided by your employer.
• Only use end devices your employer has approved and ensure that the end device recognises that it is you who is using the corporate operating system – for example through a fingerprint scan or a secure password. Important: Family members must not have access to the corporate operating system. So, sticking the password to your desk or the family pinboard is not a good idea.
• Create a secure start-up password and do not store corporate data on external data carriers that have not been approved and encrypted by your employer.
• Follow the rules and procedures specified by your company’s IT department. These may be data backup mechanisms, a request for remote data deletion if your device is lost or stolen, rules for logging a device in and out of a BYOD environment, required actions if your personal device has to be repaired or replaced, or information on installing new (security) software.
• Only use secure connections for internet access – ideally via the company’s own VPN (Virtual Private Network). Other data transfer options are less secure. If you cannot set up your end devices accordingly, you should only use devices for work that your employer has made available specifically for this purpose.
As much as we wish they were, work processes usually aren’t entirely digital. Printed documents, which may also contain personal data, can be kept under lock and key, but at some point, they must be destroyed. This requires a concept: data protection compliant destruction differs from simply throwing the documents away. Before they end up in the paper recycling bin, they should be shredded.
Easy to use – secure document shredding
The PaperSAFE® document shredder, the compact document shredder for small and home offices, is a convenient solution. Its handy automatic start and stop function ensures fast and secure use; it’s easy to empty thanks to a detachable top part; and it’s safe to handle because the motor automatically shuts off when the device is opened. Its particle size of 4 x 30 mm corresponds to security level P-4 and is perfect for meeting normal protection requirements for confidential and personal data in a company.
Any questions on the GDPR?
Here’s a quick summary of our tips for observing the GDPR in your home office:
• Work in a separate, lockable room. • Set up your personal end devices for work use, or use end devices provided by your employer.
• Ensure secure access to employer systems e.g. via VPN.
• Have a concept for storing and destroying printed documents.
These tips do not replace proper legal advice. They are based on online research on websites about data protection measures.