DPIA for COVID-19 Remote Work Environment

During this period Data Protection Authorities (DPA) are establishing guidelines for organizations on how to organize homework. You should check your country DPA in order to check for specific guidelines.European Data Protection Board released on 19th March 2020 a statement on the processing of personal data in COVID-19 pandemic. You can download the statement here: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf

Most of DPA stated that the pandemic outbreak does not derogate to normal rules on data protection, yet the emergency requires to balance and mitigate risks. So, in order to perform a Data Protection Impact Assessment, you will need to follow the usual procedure in order to estimate risks.Some of the risks arising from homeworking relate to:• unauthorized access (i.e. family members of the workers),• data breaches because of accidental loss of data,• insufficient security measures (due to the use of workers’ personal devices).

In order to mitigate risks, you can have a look at our template on teleworking and Bring Your Own Device Policy in order to establish a policy for homeworkers that suits to your needs. Remember to consider DPA guidelines and additional internal rules (i.e. on workers' surveillance).

Here you can find some useful information:Useful links to Data Protection Authorities website: https://advisera.com/eugdpracademy/knowledgebase/useful-links/How to write an easy-to-use BYOD policy compliant with ISO 27001: https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

Bring Your Own Device (BYOD) Policy: https://advisera.com/eugdpracademy/documentation/bring-your-own-device-byod-policy/Mobile Device and Teleworking Policy: https://advisera.com/eugdpracademy/documentation/mobile-device-and-teleworking-policy/