The Spanish Agency for Data Protection (AEPD) has launched a series of Recommendations to avoid security breaches of personal data and information about the company due to the telework that millions of people do as a consequence of the confinement.
The body that ensures the adequate protection of personal data has recalled in this regard the recommendations that must be followed people who travel frequently and carry company or worker information on their devices, and those that must also be dealt with in “exceptional and even force majeure” situations – such as the current one.
In the first case, a advance planning, but in the second, the AEPD has observed, urgent circumstances may force to implement solutions on a provisional basis.
When it happens and the situation continues, it is mandatory to carry out a reflection and adaptation of telework implementation. The Agency stressed, and stressed that “the resilience of the State, the continuity of business processes, and the rights and freedoms of the data subjects whose data is being processed depend on it.”
Among the recommendations highlights the importance that companies determine what forms of remote access are allowed, what type of devices are valid for each form of access and the level of access allowed based on the mobility profiles defined for each worker.
Workers must be informed of the main threats by which they can be affected when working from outside the organization and the possible consequences that can materialize if these guidelines are violated.
Company staff have to sign a teleworking agreement It includes the commitments acquired when carrying out their tasks in a situation of mobility.
The AEPD’s recommendations also point to the importance of choosing solutions and services with confidence and guarantees, and avoid using applications that do not offer these guarantees and that may lead to the exposure of personal data.
They must also be maintained protected authentication mechanisms defined (certificates or passwords), to be validated before the organization’s remote access control systems, and, if the teleworker has a corporate team, they should not use it for private purposes, and should avoid access to social networks, personal email , or websites with claims and shocking advertising.