COVID19: Teleworking, cybercrime and GDPR – What to look out for

Originally published: www.huffingtonpost.gr (in Greek)
Date: 17/07/2020

Aimilios Koronaios
Attorney at Law
LL.M. (Aberdeen), LL.M. (Athens)

During the critical period of the coronavirus we are going through, teleworking, i.e. distance working, has become the norm for thousands of companies and public and private sector employees. More and more people are working on a regular basis from their home, using computers, which are often connected to their workplace network. The mobilization of telecooperation systems, e.g. teleconferencing is also constantly expanding. Due to this, a very large volume of personal data, such as data of customers, suppliers, partners, but also of the teleworkers themselves, is now processed, i.e. collection, use, transmission, etc., remotely.

However, the widespread use of new technologies, through which the above activities take place, creates new risks for the protection of personal data. It is characteristic that because of this, cybercrime in recent days seems to flourish, adapting to the special conditions created by the coronavirus. Thus, with its recent announcements, the Directorate of Cybercrime Prosecution points out the numerous new cases of cyber fraud associated with the pandemic. It also sounds the alarm about fraud via account breach on social networking sites, which are proliferating. In all of the above scenarios, perpetrators always succeed in illegally gaining access to personal data, which they then use for their criminal activity, apparently against the letter and spirit of the GDPR.

From the point of view of the obligations of the organizations that adopt teleworking, it is reminded that according to article 24 of the GDPR, the controller must apply appropriate technical and organizational measures in order to ensure that the processing of personal data is carried out in accordance with the General Data Protection Regulation. Furthermore, according to article 32 of the GDPR, the controller and the processor must implement appropriate technical and organizational measures in order to ensure the appropriate level of security against the risks to personal data. It is self-evident, after all, that the GDPR is applied to both the teleworker and the organization in which he/she works. Both must comply with its regulations, regardless of the pandemic.

So what steps should teleworkers and the organizations they work for take to protect the personal data associated with the latter? Particularly useful are the tips of the Ministry of Digital Government for safe work at home from the point of view of the teleworker, under the title “Tips for safe work from home“. Similarly, the relevant Guide of the Association of Businesses and Industries for teleworking under the title “Teleworking: Q&A and Implementation Guide” is of great interest, mainly from the point of view of businesses. Both texts were published in March.

According to the Ministry of Digital Governance, the following measures are proposed, among others (a selection thereof is mentioned hereunder based on their importance; one shall read the full text):

1. The use of applications that provide complete encryption in communication for sending sensitive information.
2. Enabling the two-step login feature for each account the teleworker maintains.
3. The activation in the mobile phone of the function of access to online services using biometric data.
4. The non-circulation of addresses and instructions through social networks for participation in a teleconference.
5. Do not use open wireless networks, which are more vulnerable to malware.
6. The use of strong passwords and security software on the relevant equipment.

According to the Association of Businesses and Industries, the following actions are proposed, among others, for enterprises (a selection thereof is mentioned hereunder based on their importance; one shall read the full text):

1. The use of VPN.
2. The strict restriction of computers connected to corporate systems.
3. The control of access to banned websites by teleworking computers, in accordance with the respective policy.
4. The imposition of restrictions on software programs installed on teleworking computers.
5. Restriction on data traffic and related storage media used.
6. Restriction on the information systems that are accessible to the teleworker.

In summary, the above proposals make clear the characteristics of the set of measures to be implemented for safe teleworking during the coronavirus period, in compliance with the requirements of the GDPR. These are typically low-cost solutions that can be implemented quickly as a means of curbing cybercrime.

Actions of this nature can indeed prevent adverse financial and personal consequences for teleworkers and organizations, as well as significantly reduce the risk of a second year of administrative fines for breach the personal data protection policy. In any case, it is emphasized that the special characteristics of each organization and its teleworkers dictate the ala carte measures that must be taken according to the GDPR, as well as their extent and intensity.