LGPD: How does working from home impact the protection of personal data?
The year 2020 was quite challenging for everyone and it could not be different for professionals in the information security field. The new coronavirus (SARS-CoV2) crisis forced companies to have their employees work remotely — which not only required investments in new IT infrastructure (including contracting VPN solutions), but also demanded a complete restructuring of the security policies in light of this new reality.
This scenario became even more complex when the long-awaited General Data Protection Law (LGPD) went into effect. Although this legislation was unquestionably welcomed by the Brazilian population, we can say that it came at a time when the already overwhelmed decision-makers had to then deal with the structural changes required to ensure the cybersecurity of their enterprises. If adapting to the LGPD was already a challenge, just imagine how working from home complicated this situation even more.
And that's exactly the question that many of us are asking ourselves right now: how can we ensure compliance with the law when our employees are spread across cities, states, countries, or even the world? How to ensure that everyone is following best practices to prevent sensitive information leaks?
A "household accident"
We must remember that, no matter how a company makes ethical and correct use of its consumers' personal data, it relies on the employees to responsibly perform their duties. Let's imagine, for example, a telemarketing agency, which is currently operating 100% remotely. Each processing agent has access to the corporate system, which, in turn, has millions of Brazilian records. How to ensure that this agent will not put these records at risk?
When working from home, many of these professional use their personal devices (notebooks, tablets, and/or smartphones) to access, view and process data that belong to the company. Quite often, these devices may not have the same level of protection as IT-approved equipment — they may have outdated operating systems, malicious applications installed on them, or employees may even be using insecure home networks (after all, there are very few people who change their routers’ factory passwords).
Improper exposure of data may sometimes even be unintentional — an employee may print sensitive information and another person living in their home (either a family member or a visitor) may end up viewing it.
Nothing can replace the human link
It is because of these factors that investing in awareness raising programs has become more critical than ever. Employees need to know the threats they are exposed to in the home environment, abide by the company's access policies and use all the appropriate protection software, without neglecting the proper security practices that would be employed if they were at the office.
The market has now started to offer a series of solutions that address the potential risks of remote work (including virtual zero-trust environments, which act as an intermediary between the device and corporate applications to constantly verify user identity based on a variety of factors and behavioral analyses). However, the human being will always be the most important link. Do you want to ensure compliance with the LGPD? Then invest in the education of your employees!