Working remotely in the GDPR era: How to ensure compliance?

Working remotely and GDPR:

The rise of the working remotely and the GDPR is raising new questions about personal data.

Covid has been a catalyst for the development of working remotely. 25% of French people working remotely on a weekly basis! In France, 60% of people work remotely. The trend is set to continue. This raises questions about the impact of such a development on employees' personal data and GDPR compliance.

In 85% of recruitment interviews, candidates ask about the working remotely policy in the Paris region. It is therefore essential to define this policy in advance.

What are an employer's rights and obligations when working remotely ?

Le working remotely is a form of employment, which means that the employer has obligations and duties towards both the law and his employees.

Employers have a duty to know where their employees work. An employee can be working remotely if he or she has signed a rider, or if it is included in the employment contract that the place of residence is the place of working remotely. In the event of an accident on the job, the professional insurance company will cover the costs.

So, employers need to know where their employees will be working from, whether it's from home, a country house, the coffee shop next door, or a temporary co-working office. This is a primary obligation that employers are not always aware of.

working remotely must be declarative , as automatic geolocation is forbidden, with the exception of a request made and approved by the employee himself. For example, if the employee is away on business, he or she may share his or her location for reason X or Y. Geolocation is only authorized if it is necessary for your employee's activity.

But the employer does not have the right to put a chip in your computer and track your geolocation in the workplace in real time. There is also an obligation to prove that the workplace is suitable, as every employer has a duty to ensure the health and safety of its employees.

working remotely and GDPR : the rules to follow

When implementing working remotely in your organization, there are a number of things to bear in mind.

First of all, there's the matter of informing people. Everyone knows the privacy policy, but no one knows the HR privacy policy. That is, there's the one that's online, but there's also the one you provide to employees. Your employees need to know whether you use their personal data. For example, in the context of working remotely, if it is necessary to activate their geolocation.

Next, you are required to monitor your technical service providers. You must choose tools that are GDPR-compliant because it’s your responsibility, and because your clients verify your compliance through audit questionnaires. In the event of a data breach, the employer is held responsible.

By "technical service provider," we mean any external tool that processes employees' personal data. For example, email services, chat platforms, or the telecom operator for a business-use phone.

Finally, there's safety. Security risks can increase tenfold when working remotely. We recommend using a cloud. Make sure your teams are aware of this, so that as little data as possible is on the computer, and that practices limit the risks. Make it clear that you don't work on a public wifi, for example.

Does an employer have the right to monitor employees while they are working remotely?

An employer has the right to monitor employees but must adhere to certain obligations.

It's necessary to work with a specialist because it's not possible to do it on your own. It's mandatory to do what's called an impact assessment when it comes to employee monitoring, and this impact assessment ensures that at every stage, GDPR and privacy are respected.

This is also an analysis that you need to conduct internally and with experts. There will be some data you’ll want to share with other employees and some you won’t. It may seem obvious, but that’s not always the case.

Risks when working remotely

There are two main sources of risk for GDPR and working remotely. Everyone thinks of the CNIL (National Commission for Information Technology and Civil Liberties), but that's not the primary danger.

The first source of risk is your clients. If you're not GDPR compliant, and you don't have GDPR tools, your clients are unlikely to sign with your company. Being compliant with GDPR is no longer an obstacle, rather it becomes a selling point.

The second risk is your employees. Employees are also starting to become aware that the GDPR applies to them, and GDPR requests are only increasing. CNIL (National Commission for Information Technology and Civil Liberties) complaint requests account for 30% in the human resources field. It is only after these two main risks that the CNIL comes into play. 

How can I protect my data when I work from home?

It's important to distinguish between your data and the data you process. When you work, you also process other people's data. This could be data from other employees or prospects. You need to be aware of GDPR best practices to limit risks: passwords, data exchanges...

Your data, in reality, is well protected if you have an employer who respects GDPR because they will have checked their tools for compliance and made them available to their employees.

What are my obligations as an employer?

The employer must provide security measures that are adapted to the data being processed. It's up to the employer to identify whether it's necessary to have, for example, a VPN, an information systems charter, an information systems security policy, or a back-up service, etc. Not everyone has the same security measures, as it depends on the structure's activity. 

 Tips to find out if a tool is GDPR compliant 

If you have a working remotely tool that doesn't have a data protection officer (DPO), that means it's most likely not GDPR compliant.

The CNIL (National Commission for Information Technology and Civil Liberties) has put a list of DPOs online. You can therefore go and check on this file whether the tool has a DPO. If the tool's DPO isn't on this list, you may want to question the tool's GDPR compliance.