This change of the way employees work has become necessary overnight, the only option being that of working from home. Under these circumstances, employers must put in place measures that will ensure the protection of the personal data of their employees, of their clients and partners.

These measures consist of a set of rules, actions and most likely investments in licensed remote work tools.

1. Policies

If the company already has specific data protection and confidentiality policies, no major changes are required. However, if such policies are missing, now would definitely be a good time to implement them. Controllers must maintain GDPR compliance even when a state of emergency has been declared.

Considering that employees are taking home devices such as laptops, PCs, tablets but also documents that contain personal data, hard copies thereof or saved on various storage devices, it is highly recommended to establish new obligations or to remind employees of the old ones so as to make sure that the data requiring protection is not disclosed to third parties due to a security breach.

Companies that don’t have internal rules to regulate remote database access must put in place new temporary measures, to be used by all employees while working from home.

2. Remote database access

Considering that servers/databases will be accessed remotely from home, every employee should use a licensed and secured software that can only be accessed with a unique identification (ID) and password.

Moreover, employees should change their passwords regularly, every 10-15 days, and should set the auto log out function after a certain time of screen inactivity.

3. Communicating with colleagues and clients

Most certainly, during this period communicating with colleagues, clients or collaborators is essential in order to get work done and to this employees will have to use certain modern communication tools. Depending on the number of participants to a video meeting and to the company’s security requirements, there are a great number of apps to choose from and some of them are even free. Usually, the free version of these apps is less secure and it doesn’t provide the same level of confidentiality and data protection. Therefore, it is recommended to purchase a license for this kind of apps. Investing in a licensed application is a must.

4. Security monitoring by the IT Department

The role of the IT Department is crucial during this period because every employee will be accessing the database remotely. Before the pandemic its role was ensure the security of the network from the employer’s headquarters, but now the monitoring process is much more complex.

Furthermore, the IT Department will have to make recommendations but also to decide, together with the DPO, if any, and with the management of the company, which are the best apps for online meetings and online discussion with colleagues and clients.

Besides the security measures put in place by the employer together with the IT Department, employees will have to treat security issues more carefully, especially for the devices they use for work. They have to make sure that there are no other persons around – with whom they are currently living – who have access, intentionally or accidentally, to their working devices, to work related documents used at home or to the remotely accessed database. To ensure maximum security, employees working from home will have to use access passwords or locked drawers to store work related documents.

5. Periodical verifications

Employers, together with the IT Department, must regularly check if employees are complying with the policies and measures that have been put in place for remote database access.

These verifications should first of all regard the security of the database and also if the access is authorized or not. Any sign of a possible access not in line with the company’s policies and procedures or of a security breach must also be verified.

Devices used by employees to access the database may also be verified via remote access apps, including the level of security ensured by such devices. This is doable because some employees might use personal devices in order to perform their work from home.

However, any such verification should be limited to the activity and documents used for work, and not for any personal matters.

6. Keeping employees informed about the company’s measures

During this period either the DPO, if any, or a representative of the HR Department, must keep employees informed about the measures put in place by the company to ensure the protection of the personal data but also to remind employees that data protection policy compliance during this period is even more important.


Attorney Diana-Flavia Barbur