Are you prepared to work together during a crisis?

In Italy, which underwent a very intensive nationwide quarantine, much higher internet traffic was recorded early on. Insiders assume that at least 30 percent of home PC users were victims of cyber threats (e.g. phishing attacks). Both organizations and private individuals around the world depend on a functioning IT infrastructure.

In most cases, the health and safety of employees and customers is a high priority for companies, but conducting business at home and alone can also have a negative impact on business performance. Encouraging employees to work from home can have an impact on overall business performance, quality and safety.

Risks lie on the one hand in the IT infrastructure, which is not necessarily prepared for decentralized work. In addition, the staff should also be trained for the new requirements.

The performance, reliability or security of the IT infrastructure is crucial here.

IT infrastructure for decentralized work

IT and information managers of a company should therefore ensure that the following tasks are solved:

• The employees have the necessary authorizations to be able to work productively.
• The necessary licenses are in place and multi-factor authentication ensures that only authorized persons have access to company data.
• When employees use their private devices, they should meet minimum security standards and have protective software. This also includes installing the latest updates on their own system.
• Employees should be sensitized and aware of the most important security-related dangers (phishing, malware, etc.).

Requirements for the personnel

Distributed working, and home office in particular, brings new challenges at all levels of the hierarchy:

• The quick, simple and spontaneous contact is missing. Basically, the contact and also the informal exchange of information is reduced. This results in the danger of isolation.
• Suddenly, communication is mainly via electronic media and tools.
• Because of the reduced contacts and exchanges, performance evaluation is more difficult.
• Coordination with employees or teams is more difficult and often more time-consuming.
• In order to successfully lead a decentralized team, the following points must be met:
• Without a sense of community or team spirit, not much works. Especially in the start-up phase, a lot of time must be invested in team building.
• Structures provide orientation: Regular meetings or other appointments help to structure the day and tasks on the one hand, and to maintain interpersonal contacts on the other.
• Set clear rules: For example, within what timeframe must requests be responded to, what are the expectations regarding fixed presence times? Who reports to whom, who informs and who has access to which data?

Since informal and rapid exchange is limited and everyone works in a decentralised manner, it is also important to document the results in a uniform and systematic manner.

It should not be forgotten that not all employees have the same technical know-how and the corresponding skills in dealing with digital tools. Therefore, training of the employees involved (and also supervisors) is all the more important to ensure that everyone gets off to a good start in the new form of work.

Appropriate technical and organisational measures

Similarly, important data protection principles must continue to be respected. This may result in consequences in the event of non-compliance.

Even if the employee works from home, he or she still processes personal data for and on behalf of the employer. The employer therefore remains responsible for handling this data in a manner that complies with data protection requirements. Accordingly, he must ensure data security through appropriate technical and organisational measures in accordance with Art. 7 of the Data Protection Act (DSG).

If the Data Protection Regulation (DSGVO) is applicable to your activity, Art. 24 (1) DSGVO provides for the same rules.

When processing personal data, for example, care must be taken to ensure that family members do not have access to this data - screen lock when leaving the workplace therefore also applies at home. Documents in paper form must be stored securely, either in a lockable cabinet or at least in a separate, lockable room. Under no circumstances should files that are no longer required end up in the waste paper at home; they must be stored securely and then destroyed in the employer's office in accordance with internal regulations. They can be destroyed in the home office if a shredder with the appropriate security level is used. To access the employer's systems, it is best to use a Virtual Private Network (VPN) to ensure encrypted data transmission.

Depending on the industry in which you operate, different data is processed with varying degrees of sensitivity. When processing personal data that requires special protection, such as health data, the rules on data security have a particularly high priority and must not be neglected under any circumstances.

To ensure sufficiently high security standards, the employer should set out clear usage regulations in writing in clear business guidelines such as a user instruction. This way, employees know what measures they need to take for their home office.

Tools for digital collaboration

The data protection commissioner of the Canton of Zurich has examined some of the most popular digital collaboration tools for their data protection compliance. The list can be consulted at the following link: https://dsb.zh.ch/internet/datenschutzbeauftragter/ en/themen/digitale-zusammenarbeit. html

Working on your own devices

If you allow employees to work on their own smartphone and/or laptop, additional data protection precautions must be observed. For this, it is best to consult the Swiss Infosec news article entitled "BYOD - Private work devices in business" from July 2019.

Conclusion

In summary, it can be stated that home offices can certainly be designed in a data protection-compliant manner. It is important that all employees know what measures they need to take to ensure data security at home. Care must also be taken to ensure that communication channels are selected that comply with data protection requirements. In principle, all points relevant to data protection must be clarified before an employer permits home office. The current exceptional situation has probably led to regular private use, even before employees have been familiarised with the relevant regulations. It is therefore imperative to issue appropriate directives as early as possible.

Swiss Infosec AG (Data Protection Competence Center) will be happy to answer your questions and support you in complying with specific Swiss data protection and DSGVO guidelines