Managing GDPR and CCPA Compliance for a Remote Workforce
Compliance with data privacy regulations, like the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), requires a different security stance for a remote workforce. Read on for Splashtop's five proven best practices for compliance while having a remote workforce.
Remote work isn't going away. According to a recent Gartner estimate, 51 percent of knowledge workers will be performing their work remotely at the start of 2022 - and that number is realistically higher now with the recent surge of the omicron variant across the globe.
Compliance is made more difficult under remote working conditions. Consider the findings from this recent Security Magazine article that discusses the results of the Apricorn 2021 Global IT Security Survey of more than 400 IT security practitioners across North America and Europe. The study was about security practices and policies for remote working over the past 12 months. Several results summarize the risks very well:
60% of respondents say that COVID-induced remote work conditions have created data security issues within their organizations
38% stated that data control has been very hard to manage
Despite data control concerns, nearly 20% admitted that their work devices have been used by other members of their household
Compliance with data privacy regulations for remote workers has not yet been a focus for IT teams. A 2021 Healthcare IT News article pointed out that just 2 out of every 10 IT teams said they have provided adequate tools and resources to support employees working remotely long term. This lack of preparedness puts organizations at risk of violating consumer data privacy laws, particularly GDPR and the CCPA.
The Impact of Non-Compliance
When an organization is found to have caused potential harm to consumers by not properly protecting their personally identifiable information (PII), the result can include substantial fines, loss of customers and significant brand damage. Certainly, most people can recall high-profile cases like the EU fining Amazon and H&M for GDPR non-compliance in the amounts of €746 million and €35 million, respectively. Yet, in just 3 years, the EU has issued more than 800 fines across the European Economic Area (EEA) and the U.K. (which maintains GDPR rules, even after Brexit).
Yes, smaller organizations get fined. Take, for example, the Swedish healthcare provider Capio St. Göran. It received brand damage and a GDPR fine of €2.9 million following an audit of one of its hospitals. The audit showed that the company did not use appropriate risk assessments and failed to implement effective access controls. As a result, too many employees had access to sensitive personal data.
The same type of enforcement applies to all sizes of organizations under California's CCPA. A September 2021 TechTarget article points out that the State of California recently handed out fines to a car dealership, a grocery store chain, an online dating platform and a pet adoption agency - hardly the titans of modern industry.
The bottom line: if you find yourself managing remote teams, you need to take several steps to adjust your security policy and practices to remain in compliance with personal data privacy laws.
Fortunately, Splashtop has been enabling thousands of organizations to work remotely. Here are Splashtop's 5 proven best practices for compliance while having a remote workforce.
What Data Compliance Means Under GDPR and CCPA
Both GDPR and CCPA require that companies keep personal information private and secure. Business processes that handle personal data must be designed and built with safeguards to protect data (e.g., using pseudonymization or full anonymization where appropriate). Organizations that control data must design information systems with privacy in mind.
Also similar to GDPR, Chapter 55 of the California Consumer Privacy Act of 2018 (CCPA) defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, license plate number, passport number, or other similar identifiers.
The regulations apply to any organization's employees working in any location, whether in the office or remotely. Importantly, it does not matter where in the world employees work. The regulations apply when the consumers being protected by the regulations live in the EU zone, the U.K. and/or California. (Note that numerous other countries, such as Brazil, South Africa, South Korea, Japan and many others have also instituted similar regulations from 2019-2021).
Best Practice #1: Update your cybersecurity policy to reflect the “remote work” reality
As the above data shows, many employees are unfamiliar with data security and data subject privacy issues and simply do not recognize how their actions could lead to a data breach that exposes the personal data which your organization must protect.
The best way to inform employees is to establish and share a cybersecurity policy that instructs employees about how to keep your business's data safe. The good news is that your IT security policy can be a simple document. It should explain the reasons that it exists and provide the specific security protocols (in non-technical terms) which all employees should follow. It should also provide a contact source (email or phone #) for employees who need additional help understanding it.
Best Practice #2: Train employees and ensure IT can support them
Employees are often the weakest link in cybersecurity. Regular security training helps keep employees up-to-date on how to protect the organization from malicious attacks.
Account and Password Policies:
Assign all users their own logins and grant access via strong passwords and two-factor / multi-factor authentication.
Data Security Control:
Data security controls include role-based access based on the least-privilege principle, access monitoring, account reviewing/inventory and logging. This means that all users have a minimal level of data access.
Access controls manage electronic access to data and systems and are based on authority levels, need-to-know parameters and a clear separation-of-duties for people who access the system.
Security Incident Response:
“Security Incident Response” procedures enable an organization to investigate, respond to, mitigate and notify of events related to Splashtop services and information assets.
Best Practice #3: Keep data encrypted in transit and at rest
Recital 83 of GDPR requires personal data to be protected - both in transit and at rest. You should consider data to be in transit any time someone accesses it, such as when it travels from a website server to a user device. 'Data at rest' refers to data in storage, such as data on a device's hard drive or a USB flash drive.
The two keys to maintaining data protection when your employees work remotely are encryption and access control.
Splashtop encrypts all user data in transit and at rest, and all user sessions are established securely using TLS. The content accessed within each session is always encrypted via 256-bit AES.
Splashtop has implemented access controls to manage electronic access to data and systems. Our access controls are based on authority levels, need-to-know levels as well as the segregation of duties for those who access the system.
Splashtop purposely avoids the over-collection of data - something which too many businesses do without a legitimate business service reason. We align more easily with regulations by NOT collecting sensitive data/information. We only collect, store and process limited PII, such as username (email), password and session logs (for customers to review, troubleshooting, etc.), and Splashtop does not sell customer information per GDPR and CCPA guidelines.
Best Practice #4: Treat geography-specific data within its own stack
If your business serves users in a regulated zone, your safest move is to create a data/technology stack specific to each regulated zone. Splashtop leverages an EU stack based in Germany. This ensures that data transfers related to EU residents remain within EU sovereignty (a strict rule of GDPR).
Best Practice #5: Use secure remote access
People who work remotely typically use VPNs and remote desktop protocol (RDP) to access the apps and data they need to perform their work. This has led cybercriminals to exploit weak password security and VPN vulnerabilities to access the corporate network, stealing information and data.
Splashtop's remote access solution does not rely on a VPN. Moreover, it follows a Zero Trust approach. When employees remotely access their office computer or workstation, they enter via a special Splashtop connection. A connection that is not part of the corporate network. This means that they can only view and work with the data (i.e., Word documents) on their remote desktop, and data never travels outside the corporate network. IT security leaders also have the choice with Splashtop to enable or disable both file transfer and print functions. These choices are highly recommended for compliance, yet do not exist with an RDP/VPN strategy.
Splashtop remote access introduces even more security features, such as device authentication, two-factor authentication (2FA), single sign-on (SSO) and more. These modern security measures do not exist in VPN architecture.
Prevention is Easier than Cure
As these best practices demonstrate, you can take five common-sense steps to align with data privacy regulations without a massive effort. With remote work here to stay, the upside to protecting consumer data in your remote worker environment far outweighs the negative effects of being found 'out of compliance.'