CNIL publishes new Guidance on Teleworking
The French Data Protection Authority (CNIL) has released a guidance on teleworking on April 1st, which is intended to help employers master the new working situation. In particular, it is supposed to bring clarity on the IT requirements in order to ensure a safe and well-functioning remote working environment.
In particular, the guidance touches on these following points to form a basis for coping with teleworking from an employer’s perspective:
- It is recommended that employers formulate an IT Charter or internal regulation on how to use the teleworking systems which are to be followed by the employees,
- Necessary measures have to be taken in case the systems have to be changed or adapted to the new situation,
- It should be ensured that employee work stations have the minimum requirements of a firewall, anti-virus software and a tool blocking access to malicious websites,
- To keep from being exposed on the internet and ensure security, a VPN is recommended to be put in use.
Furthermore, the CNIL has also given guidance on the cases where an organization’s services are mainly performed over the internet. In such cases, it recommended to follow a few necessary requirements in order to make sure the services can be delivered safely and smoothly:
- Web protocols that guarantee confidentiality and authentication of the processes (such as https and sftp), and keeping them up to date,
- Double factor authentication,
- No access to interfaces of non-secure servers,
- Reviewing logs of access to remotely accessible services to detect suspicious behaviors,
- Ensuring that the used equipment follows latest security patches.
The CNIL also offered some best practices for employees to follow in cases of working remotely, to give both sides pointers on how to deal with the changing situation.
Specifically, employees are being recommended to ensure their WIFI is secure by using encryption such as WPA 2 or WPA 3, along with a secure password. In addition, the CNIL recommends work equipment given by the employer, as well as using a VPN provided by the company. In the case of using own devices, a firewall and an anti-virus software are the necessary requirements to ensure security of the equipment, as well as updating the operating system and software to the newest patches.
Lastly, the CNIL warns of increased phishing attempts in relation to the COVID-19 outbreak.
Overall, the guidance and best practices the CNIL has published indicate a need for continuous and active vigilance in regards to teleworking, as well as the sharing of personal data in the process.
This guidance is in line with our past assessment of the remote working situation, which you are welcome to check out in the respective blogpost in our Series on Data Protection and Corona.