Hiring Remote Devs? How to be GDPR Compliant

As the demand for high-quality software engineers increases, employers hiring remotely will find themselves ahead of the competition. This is because hiring remotely allows employers and startup founders to expand their talent pool and hire the best candidate no matter where they live. It also leads to reducing costs and improving employees’ productivity and retention. 

Nearly 63% of US companies have employees who work remotely. The number of Americans working remotely rose from 24% to 31% from 2012 to 2016, according to a survey by Upwork. Since the new General Data Protection Regulation (GDPR) came into force, the EU based companies have been trying to adjust their policies to meet the requirements. Fully and partially distributed companies such as Doist, Hotjar, Appen, and Stanwood have established a remote work policy that allows them to hire remote employees and stay compliant with the new regulations. 

The GDPR that came into action in May 2018 proposes new principles of data protection that organizations should follow when collecting or processing personal data. 

According to the GDPR, personal data means any information relating to an identified or identifiable natural person. For example, the list below summarizes what could be considered personal data: 

Biographical information: Data of birth, Social Security numbers, phone numbers and email addresses.Workplace data: Information about customer’s employment history, salary and tax.Information about physical appearance: Such as hair color, eye color, or weight could be considered personal data. 

Principles that deal with data security state that personal data must be

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures”. 

The GDPR also emphasizes the urgency of reporting breach cases. Organizations have 72 hours to notify the relevant supervisory authority of a data breach, including an analysis of the likely consequence of the breach, and the measures taken or proposed by the organization to mitigate the negative effects of such case. 

That being said, organizations keen on hiring remotely should be looking at ways to protect their data from being lost or exploited. 

Does remote work threaten your data? 

Data security appears to be the main concern among employers and small businesses in Europe. As an employer working with remote developers, one of the biggest fears to such employment would certainly be the fact that developers can work from anywhere which makes data more vulnerable to be breached or mishandled. In fact, data breaches can happen for a variety of reasons. One of the most famous cases took place last year when Marriott hotel chain announced that hackers have accessed nearly 500 million of their consumers’ data. 

Romanian-based Andrei Hanganu, author of the EU GDPR Documentation says, “There’s no such thing as foolproof security – even Nasa has been hacked. But strong passwords and adequate encryption solutions will help keep your personal data safe from unauthorized users.”

Whether remote or not, if you don’t have enough knowledge of data security, then you’re eligible to take further steps to keep your data safe. 

Here, we have prepared an actionable checklist to help you stay compliant with GDPR when hiring remote developers: 

Limit the access of remote developers to your serverLimit access via file transfer protocol (FTP) Use device encryption Use pseudonymizationEnable remote finding of devices Use an encrypted Email program Take advantage of cloud storage  Sign a cyber insurance policyHave a written remote work policyTrain your remote developers Appoint a data protection officer (DPO)

There’s an ongoing debate on whether companies should give developers access to the servers. To begin with, there are different development environment which your developer has to deal with:

At this stage, developer can edit/update code without affecting what users see when they pull up the website. This allows developers to test their code and fix unwanted bugs before the changes go live.  

Here, your developers can migrate database and configuration changes and test all the features before the site goes live. 

The production environment is where your final changes/updates go live so that users can finally see it. Any bugs or errors that were not fixed during the previous development environments can be found by users.

For best practices, companies working with remote developers limit the access of developers to the first two stages only. For security enhancement, only the technical lead at your office headquarters should have access to the production level. Also, those who do maintenance work has to have access to your production servers. Using a file control mechanism, you can delegate the access of developers to your server files. 

For instance, there are 3 types of permissions you can give to remote developers: 

Read: They can only view the file. Any attempt to edit or delete the file is disabled under this permission. Write: They can edit, modify, delete the file or add new files to the folder. Execute: it’s mainly used when they can run a script. 

How to change file permission? Understanding the ‘777’ rule

Every file and folder contain a 8-bit data that control the permissions. The number “000” indicates that no permission of any form is granted. For the other forms of permissions: 

Write is equivalent to ‘2’.

Read is equivalent to ‘4’.

Execute is equivalent to ‘1’.

If you want to set permission, you just need to add the number of the desired action. For example, if you want your developer to read and edit the files, you add “4+2” = 6. For read, write and execute, you will use ‘7’ (4 + 2 + 1). 

The number “777”, the first digit is assigned to the Owner, the second digit is assigned to the Group of users who share the same permissions and the third digit is assigned to the Public. So for a file with ‘777’ permission, everyone can read, write and execute the file. 

Ask your CTO for more information on how to implement the steps mentioned above. 

Granting your developer a complete FTP access means that a developer can access Cpanel, which enables them to pull all your site files, edit or delete them. There are alternative options if you’re hesitant to grant developers a complete FTP access: 

Create multiple FTP accounts with limited access to files. You can restrict certain parts of the site and authorize your developers to access only the data that they need in order to do their job. Ask your developer to edit a database remotely using a database client such as phpMyAdmin, or other 3rd party solutions. Note that this option isn’t valid if they are creating a database from scratch. 

When they use their personal devices, remote developers could be in danger of losing their data or login credentials. Hence, encourage your remote developers to encrypt their hard drives to protect their data and avoid a possible data breach.

The ability to encrypt data on any device has never been easier. All you need to do is to enable the built-in encryption software that is available on most versions of Windows. For MAC users, you can use FileVault, a built in desk encryption feature that encrypts your hard drive and data. 

Pseudonymization is a form of data masking that is highly recommended by the GDPR. the GDPR defines pseudonymisation as personal data processing so that the data can no longer be attributed to a specific data subject. It works by replacing all authentic identifying information with artificial identifiers. Pseudonymisation makes it impossible to access personal data without additional information. According to GDPR, employers who want to pseudonymize their employees personal data should keep the “additional information” secure and separate to ensure non-attribution. 

There are two types of Pseudonymization which you can apply today to your employees personal or important data; random replacement and consistent replacement. For example, random replacement works by replacing employees’ names with random names every time the information goes through the pseudonymization process. For example, if an employee’s name is Jack Smith, each time it goes into the pseudonymization process, the name will vary. Consistent replacement, on the other hand, works by replacing employee’s name with the same name each time. For example, Jack Smith will be replaced by James Fallon each time it goes into the pseudonymization process. 

As mentioned, pseudonymization is a form of data masking. It secures the data with additional information that is held separately by authorized individuals. In this case, the original form of data remains readable. On the other hand, encryption is considered the most straightforward and efficient technique to secure data. It translates the data into a different form of code so that only authorized individuals can read it. 

Both methods are eligible for securing data and have been mentioned by the GDPR many times. However, in our opinion, as pseudonymization provides partial encryption, we recommend that you implement standard encryption in order to ensure full protection and remain GDPR compliant. 

Once your remote developers are on-boarded, encourage them to switch on the function of finding their devices in case it gets lost. This option is available for both Windows and Mac devices and it allows users to delete important files remotely if their devices got stolen or lost. 

When working with remote developers, make sure to protect your G Suite and encrypt all emails and messages. Implementing Email encryption is possible through an email encryption service called GAME, produced by Zix and provides secure email to G Suite users communicating outside Google’s secure cloud to all other email users.

Another email encryption method recommended by Google is Virtue. Virtue provides end to end encryption for email users on G suite and lets you have control on your data. You can choose to encrypt documents and files you send via email and restrict forwarding or sharing them. 

If you are looking for a much simpler solution, there are chrome extensions such as FlowCrypt that lets you add a protection to G suite through the addition of a secure compose button that sits atop the regular compose button. If the receiver doesn’t have FlowCrypt, they will need to access the email via password. This is an easy to implement option that can be used by both small and large businesses who want to take immediate actions to encrypt important emails within their organization. 

Businesses are increasingly utilizing cloud based storage as a safe option to protect their data from ransomware. After the GDPR came into force, there are a few issues to consider before choosing your cloud storage provider: 

What are the encryption technologies used by the provider? 

Whether it be through pseudonymization or encryption, make sure that the encryption methodology used by the cloud storage provider is managed by end-user, on the client side. 

Provider’s transparency about data residency and protection 

Although the GDPR doesn’t mention whether the data should be stored within the EU, it’s better to choose EU based data center if possible. 

Additional security guarantees if the cloud company is not located in the EU

In this case, you have to check if the cloud company is certified under the EU privacy shield or provides additional security guarantees that align with the GDPR requirements.

Cloud-based storage solutions vary in terms of quality and price. Before subscribing, study all the options and choose what suits your business needs the most. We recommend pCloud Cloud Storage and SkyFlok. Both options are very affordable, simple to use and provide end to end encryption. 

Many forms of cyber insurance policies are eligible for taking care of the GDPR and cover all penalties and fines. However, before signing for a cyber insurance policy, make sure it covers the points below:

Definition of a privacy regulator: Most insurance policies include the “European Data Protection Authorities: (DPAs) as a privacy regulator. However, this doesn’t guarantee GDPR compliance. Privacy breach vs Privacy violation: The GDPR doesn’t only address privacy violations. Issues such as data storage and processing are also among the main concerns of the GDPR. To be compliant, make sure to expand the coverage to include how data is stored, managed and accessed through its lifetime. Will the insurance policy cover the GDPR penalty: A GRPR’s penalty is up to 4% of the company’s total revenue. Although each violations and breach could be assessed differently, it’s better to review the limits of your GDPR cyber insurance cover. 

In the current age of technology and in line with the GDPR, remote work policies should be refined to reflect the current changes. Having a clearly written remote work policy will enhance your GDPR compliance and ease the process for you and your team. A good remote work policy should cover your data security principles, rules of copying files or documents, simplified explanation of the GDPR principles and guidelines, responsibilities of the developer and legal obligations. It should also cover the steps that each remote developer should take in the case of a data breach.

After drafting a remote work security policy, it’s crucial to invest time in training your remote developers on the principles of GDPR. Arrange an hour call with your new hires to discuss the ways in which business data could be breached and what they should do to minimize the risk. With the help of your IT department, educate your remote developers about various IT and security topics such as identifying phishing emails, implementing good password policy, and the rules of using public Wifi. 

Many organizations have decided to appoint a data protection officer (DPO) responsible for overseeing the company’s overall data security strategy. The DPOs are also be responsible for training employees involved in data processing on the GDPR principles. He or she must have access to the entire database of the company as he or she will be responsible for communicating with the authorities in case of a data breach. 

Appointing a DPO is required under certain circumstances according to the GDPR; 

If your organization deals with or possess sensitive personal data on a large scale. If your organization engages in systematic monitoring of people. In Germany it is required to appoint a DPO as soon as 10 employees are involved in the processing of sensitive personal data.

Under these conditions only you are required to appoint a DPO. Other than that, it’s up to you to decide the necessity of doing so. 

What you need to do when you discover a data breach

When you discover a data breach, even if you don’t have complete knowledge of the case, it’s crucial to report it to the authorities within the timeframe. The GDPR stresses on the importance of reporting breach cases within 72 hours. Below are the immediate actions you need to take in the case of a data breach. 

Notify your “Data Protection Authority” DPA to file a data breach notification online. Inform each individual affected by the breach and make sure to obtain acknowledgment of receipt. The notification should include information about the nature of the data breach, the consequences that are likely to occur as a result of the breach, and steps taken to mitigate the risks and the effects of the breach. 

To protect organizations' data and in order to comply with the GDPR, Remoteplatz organizes a GDPR awareness session for all new hires. This session ensures that remote developers are aware of the principles of the new regulation and are trained to comply with it. 

Signing an NDA is compulsory for all our new hires. This ensures that your remote developers are bound not to replicate any of your proprietary information, code or business ideas. NDA’s also protect your client’s personal information and ensures that the developer understands the seriousness of the issue and is legally bound to protect all your client’s data and information. 

In addition, we also insert a “work for hire” clause in our NDAs which emphasizes that the code produced by the remote developer remains the intellectual property of your company. And thus, the developer has no right to copy or use the code for rival products.

* Candidates’ personal data such as name, phone number, email address or photo are stored on our database systems and are used for recruitment purposes only. 

* Every rejection email we send informs our candidates that we are keeping their data even after not offering them a job. In the email, we also inform our candidates that they have the right to ask for eliminating their data from our systems.

* Candidates have the right to access their data, edit it or even request to delete it. Any requests to edit/delete the data will be processed within a month from the date of receipt. 

Interested in hiring tech specialists? Fill out a simple form from here.