Checkliste Datenschutz im Home-Office
Others should argue about whether Corona is over or not. However, what is not over in many organizations is the topic of working from home. At the beginning of the pandemic, some employers may only have intended it as a workaround, but the home office is here to stay. Since many organizations were not at all prepared for the topic (keyword emergency management sub-items pandemic and staff shortages 🙂 ), things had to happen quickly in 2020. Interim solutions or emergency nails were created, the main thing was to be able to work first. Data protection and information security were not always the focus that would have been appropriate given the technical and organizational risks of working from home. It is now all the more important to systematically approach the topic from the perspective of data protection and information security during the current breather. It is important to check the effectiveness of any protective measures and aspects of risk avoidance that may already exist, but also to identify and eliminate any organizational and technical weaknesses that still exist. In the course of the pandemic that was just taking off in spring 2020, we created and made available to our customers a checklist for data protection when working from home. With this it was at least possible to roughly check whether the most important aspects were taken into account in all the topsy-turvy. And anyone who knows us knows that we not only danced for the golden calf of data protection, but also examined the topic from an organizational perspective. For this reason, the checklist for data protection when working from home also includes basic information security requirements, which logically do not make a distinction between personal references or not, but generally improve the level of protection for information of all kinds. Of course, the topic of training and raising employee awareness could not be left out. Even if it annoys one or the other organizational management or manager 😉
Systematik der Checkliste Datenschutz im Home-Office
At the beginning there was only one checklist for all the checkpoints and requirements that came to mind from a data protection and information security perspective. Checkpoints were or are:
- Hardware-Einsatz (Gestellung order BYOD)
- requirements of the workplace at home
- Handling paper documents
- Use of video conferencing systems
- General technical safety requirements
- Use of cloud services such as file storage or collaboration tools
- use of messengers
- Allgemeine organisatorische Anforderungen (Regelungen, Richtlinien, Schulung, Einweisung etc.)
This included requirements for data protection in the home office on the employer’s side, but also from the employee’s point of view in their own home. We quickly realized that this is not practicable and made two separate lists out of a checklist for data protection in the home office. There is now a checklist for data protection when working from home
- the employer and
- of the Arbeitnehmers.
Home office checklist for employers
This somewhat more extensive checklist for employers deals intensively with the requirements and prerequisites for technical and organizational security, which the employer must ensure or create in the first place so that work can be carried out in the home office in compliance with data protection and from the point of view of information security “safely”. . This also includes points such as order processing according to Art. 28 GDPR for external cloud services and also administrative defaults on the part of the technologies used, which are now rather less exciting or of interest for the employee when working from home.
Employers can use the data protection checklist when working from home to quickly and easily check whether
- the most important (technical) requirements for safe working in the home office have been met,
- the legal requirements from the point of view of the GDPR (such as order processing) are taken into account,
- everything is properly regulated, documented and described in a way that is easy to understand for everyone involved, as well as
- the employees are sufficiently instructed and sensitized.
Where there is a tick missing from the checklist, there is still a need for action in case of doubt. Even now, 2 years later 😉
Home office checklist for employees
This much shorter checklist deals with the aspects that should be fulfilled in the home office on the part of the employee. Using the checkpoints, the employee can check whether he is “ready to go” in the home office and whether the requirements for safe and data protection-compliant use in the home office are also guaranteed on his part. However, the checkpoints may also show that certain support measures on the part of the employer are still missing. These can be identified using the checklist, logged and sent to the employer with a request for completion. At the same time, the checklist for employees serves as a small reminder for the necessary security measures in the home office, which the employee should ensure not just once, but throughout the home office.
Another benefit of the checklists
In addition to self-checking whether everything important and necessary for safe and data protection-compliant use in the home office has been thought of, the dichotomy is also good for something else. Clever customers of ours have had the checklist for data protection in the home office for employees filled out by their employees at an early stage in order to determine what generally needs to be created / provided by the employer so that home office is possible in the first place. In the second step, after the rollout of the home offices, they had the employee log it again using the checklist for employees that everything is now “right” at home in the home office. All of this, of course, only after appropriate instruction and training. It goes without saying 🙂
Advantage: As an employer or responsible body, you can prove that you have fulfilled your duty of care outside of your own premises.
Download der Checkliste Datenschutz im Home-Office
Anyone who knows us a little better knows about our training activities at the Bavarian Administration School for Information Security Officers. Afterwards, all participants are cordially invited to take part in the free ISB practice forum as an exchange platform in the everyday life of information security officers. The question arose as to whether there were suitable checklists for home office or whether we wanted to develop them together. So what could be more obvious than to make the existing checklists from our pool available to everyone in a slightly revised version before everyone takes the trouble individually. time is too valuable.
Our request: The two checklists do not claim to be complete or correct. So if you have suggestions and additions for further development or correction, bring them on. And “fair use” applies. This template can therefore be used and modified in practice by organizations. However, we do not want it to be offered as a sample for download on other websites or found in a specialist book without our consent. Liability: The checklists are only a suggestion. No liability is accepted for damage caused by use.
Checklist data protection in the home office for employers
Checklist data protection in the home office for employees