Stricter privacy regulations and the increasingly widespread use of remote desktop software are coming together to create a perfect storm of compliance risks and regulatory obstacles. As governments and judicial bodies try to balance privacy and commerce, businesses are left navigating a volatile and turbulent sea of bureaucracy and legislation.
In an effort to streamline this process in Europe, the European Union developed the General Data Protection Regulation (GDPR), a comprehensive document with far-reaching implications for businesses that deal with European customers, directly or indirectly.
In this article, we’ll take a closer look at GDPR regulations, what they mean for businesses, and how you can ensure compliance to avoid any nasty—and costly—regulatory surprises.
What is the GDPR?
The GDPR outlines what businesses can and cannot do with customer and user data, including the manner in which it’s stored, transmitted, processed, and destroyed. Any business that has European customers or uses data collected from European citizens is required to comply with the GDPR.
Many of the document’s policies pose no particular problem for working remotely. For example, consumers must be made aware of what data is being collected from them, why, and how. Several others, however, bear special consideration when supporting a remote workforce. For example, personal data has to be encrypted and must only be revealed to and accessed by authorized individuals. Data breaches must also be reported to the appropriate authorities. Finally, data cannot be shared with non-compliant third parties or those outside GDPR jurisdiction.
What does it mean for remote workers?
So, what does this mean for businesses that use remote access software?
First, it underscores the need for clear remote working policies that reinforce the importance of protecting data and explain how to do so and what the consequences are otherwise.
This is particularly important given that according to research by VansonBourne on behalf of Imation, 42% of businesses say that they have a hard time keeping track of what information employees can access outside the office, while roughly 25% admitted that an employee had lost a device with confidential emails, files, and consumer data or had such a device stolen from them.
Even more concerning, close to 70% of businesses were aware of employees violating company privacy policies in order to work remotely, and 10% admitted to it happening regularly. That’s not surprising, given that 40% of businesses have no remote working policy in place that covers IT security.
All of this spells disaster for businesses that operate within the European Union in one way or another. In the age of the internet and globalization, there are few that don’t meet this description.
How can businesses ensure compliance?
In regards to remote computer access, there are several crucial steps that businesses can take to avoid breaches and stay compliant.
First, invest in a secure remote work infrastructure. Businesses should research and choose secure remote desktop software, and then ensure that all users are connecting in this fashion. Using the same remote desktop application among all employees will help your IT department deal with issues and keep everything up to code.
Next, set up and enforce the use of a secure business VPN for employees wishing to remotely connect to company resources. This helps satisfy one of the core components of the GDPR: encryption of customer data. Companies can go one step further by ensuring that all company and private devices used remotely are protected with good encryption software.
Another option is a Desktop as a Service (DaaS) model. DaaS enables employees to connect to highly secure virtual desktops, completely sidestepping the issue of storing customer data on employee devices. This can be one effective way to keep a tight grip on GDPR compliance, because you can easily develop an infrastructure suited to do so, and then employees can connect to it remotely.
The Imation survey found that 32% of employees didn’t use strong passwords, while a later study by Verizon indicated that a staggering 80% of all hacking-related breaches could be traced back to weak passwords. One of the best ways to combat this is to invest in a good password manager. This greatly increases security by allowing employees to remember a single, highly secure password, rather than 10 inevitably simpler ones.
Also, consider how customer data is being stored. If it’s stored on-site on corporate hard drives, how are your employees accessing these files? If you’re using cloud storage, is the information stored and transmitted in an encrypted manner? Check with your cloud provider about GDPR compliance and what steps they’ve taken to meet it.
Finally, regulations differ between employees and contract workers or freelancers, who may have access to European customer data when they connect remotely to one of your workstations, through screen sharing during meetings, or by working directly with company data on a personal device. Discuss GDPR compliance with remote workers outside your company, and have them sign a compliance agreement if necessary.
There are heavy fines awaiting those who fail to meet the standards set forth in the GDPR, and using remote desktop software multiplies the complexity of doing so.
The task can be greatly simplified by considering each point of contact between your distributed team and European customer data. Does your remote desktop software include encryption and security features? Are employees connecting over an encrypted business VPN? Where do third parties and contract workings fit into this schema?
Drafting privacy policies will help you think through each of these problems and ensure GDPR compliance every step of the way, for on-site and remote workers alike.