If you would answer my question, please, referring to Teleworking and Mobile policies in ISO27001 document toolkit, how would you audit work from home considering their privacy?
Assign topic to the user
Organisations can audit their employees while they work from home, but the auditing should take into consideration a balance between employees’ right to privacy and the organisations’ legitimate needs to protect their digital assets from unauthorized exposure. On one hand, companies should evaluate the risks that are coming with a work-from-home or hybrid work environment: data theft, data losses, data unauthorized exposure, lack of efficient control mechanisms, and access from unsecured hardware. On the other hand, companies should evaluate whether the level of employee monitoring at home – logon/logoff times, navigation history, activity time, etc are justified in order to address the abovementioned risks. Companies must demonstrate adherence to the principle of data minimization, from Article 5 GDPR - Principles relating to the processing of personal data - that requires data controllers to make sure that the minimum amount of personal data is processed in order to achieve a processing purpose.
We highly recommend performing a Data Protection Impact Assessment (DPIA) before implementing technologies and policies/procedures to monitor employees that work from home.
Please find more details at these links:
- Article 5 GDPR - Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
- Article 35 GDPR - Data Protection Impact Assessment: https://advisera.com/gdpr/data-protection-impact-assessment/
- Data Protection Impact Assessment Methodology: https://advisera.com/toolkit-documents/eu-gdpr/data-protection-impact-assessment-methodology/
- 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/articles/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
Comment as guest or Sign in
Feb 24, 2023