As the demand for high-quality software engineers increases, employers hiring remotely will find themselves ahead of the competition. This is because hiring remotely allows employers and startup founders to expand their talent pool and hire the best candidate no matter where they live. It also leads to reducing costs and improving employees’ productivity and retention.
Nearly 63% of US companies have employees who work remotely. The number of Americans working remotely rose from 24% to 31% from 2012 to 2016, according to a survey by Upwork. Since the new General Data Protection Regulation (GDPR) came into force, the EU based companies have been trying to adjust their policies to meet the requirements. Fully and partially distributed companies such as Doist, Hotjar, Appen, and Stanwood have established a remote work policy that allows them to hire remote employees and stay compliant with the new regulations.
The GDPR that came into action in May 2018 proposes new principles of data protection that organizations should follow when collecting or processing personal data.
According to the GDPR, personal data means any information relating to an identified or identifiable natural person. For example, the list below summarizes what could be considered personal data:
Principles that deal with data security state that personal data must be
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures”.
The GDPR also emphasizes the urgency of reporting breach cases. Organizations have 72 hours to notify the relevant supervisory authority of a data breach, including an analysis of the likely consequence of the breach, and the measures taken or proposed by the organization to mitigate the negative effects of such case.
That being said, organizations keen on hiring remotely should be looking at ways to protect their data from being lost or exploited.
Does remote work threaten your data?
Data security appears to be the main concern among employers and small businesses in Europe. As an employer working with remote developers, one of the biggest fears to such employment would certainly be the fact that developers can work from anywhere which makes data more vulnerable to be breached or mishandled. In fact, data breaches can happen for a variety of reasons. One of the most famous cases took place last year when Marriott hotel chain announced that hackers have accessed nearly 500 million of their consumers’ data.
Romanian-based Andrei Hanganu, author of the EU GDPR Documentation says, “There’s no such thing as foolproof security – even Nasa has been hacked. But strong passwords and adequate encryption solutions will help keep your personal data safe from unauthorized users.”
Whether remote or not, if you don’t have enough knowledge of data security, then you’re eligible to take further steps to keep your data safe.
Here, we have prepared an actionable checklist to help you stay compliant with GDPR when hiring remote developers:
1. Limit the access of remote developers to your server
There’s an ongoing debate on whether companies should give developers access to the servers. To begin with, there are different development environment which your developer has to deal with:
At this stage, the developer can edit/update code without affecting what users see when they pull up the website. This allows developers to test their code and fix unwanted bugs before the changes go live.
Here, your developers can migrate database and configuration changes and test all the features before the site goes live.
The production environment is where your final changes/updates go live so that users can finally see it. Any bugs or errors that were not fixed during the previous development environments can be found by users.
For best practices, companies working with remote developers limit the access of developers to the first two stages only. For security enhancement, only the technical lead at your office headquarters should have access to the production level. Also, those who do maintenance work has to have access to your production servers. Using a file control mechanism, you can delegate the access of developers to your server files.
For instance, there are 3 types of permissions you can give to remote developers:
How to change file permission? Understanding the ‘777’ rule
Every file and folder contain an 8-bit data that control the permissions. The number “000” indicates that no permission of any form is granted. For the other forms of permissions:
Write is equivalent to ‘2’.
Read is equivalent to ‘4’.
Execute is equivalent to ‘1’.
If you want to set permission, you just need to add the number of the desired action. For example, if you want your developer to read and edit the files, you add “4+2” = 6. For read, write and execute, you will use ‘7’ (4 + 2 + 1).
The number “777”, the first digit is assigned to the Owner, the second digit is assigned to the Group of users who share the same permissions and the third digit is assigned to the Public. So for a file with ‘777’ permission, everyone can read, write and execute the file.
Ask your CTO for more information on how to implement the steps mentioned above.
2. File transfer protocol (FTP)
Granting your developer complete FTP access means that a developer can access Cpanel, which enables them to pull all your site files, edit or delete them. There are alternative options if you’re hesitant to grant developers complete FTP access:
3. Encrypt all devices
When they use their personal devices, remote developers could be in danger of losing their data or login credentials. Hence, encourage your remote developers to encrypt their hard drives to protect their data and avoid a possible data breach.
The ability to encrypt data on any device has never been easier. All you need to do is to enable the built-in encryption software that is available on most versions of Windows. For MAC users, you can use FireVault, a built-in desk encryption feature that encrypts your hard drive and data.
4. Use pseudonymization
Pseudonymization is a form of data masking that is highly recommended by the GDPR. the GDPR defines pseudonymisation as personal data processing so that the data can no longer be attributed to a specific data subject. It works by replacing all authentic identifying information with artificial identifiers. Pseudonymisation makes it impossible to access personal data without additional information. According to GDPR, employers who want to pseudonymize their employee's personal data should keep the “additional information” secure and separate to ensure non-attribution.
How pseudonymization works
There are two types of Pseudonymization which you can apply today to your employees personal or important data; random replacement and consistent replacement. For example, random replacement works by replacing employees’ names with random names every time the information goes through the pseudonymization process. For example, if an employee’s name is Jack Smith, each time it goes into the pseudonymization process, the name will vary. Consistent replacement, on the other hand, works by replacing employee’s name with the same name each time. For example, Jack Smith will be replaced by James Fallon each time it goes into the pseudonymization process.
Data encryption vs Pseudonymisation
As mentioned, pseudonymization is a form of data masking. It secures the data with additional information that is held separately by authorized individuals. In this case, the original form of data remains readable. On the other hand, encryption is considered the most straightforward and efficient technique to secure data. It translates the data into a different form of code so that only authorized individuals can read it.
Both methods are eligible for securing data and have been mentioned by the GDPR many times. However, in our opinion, as pseudonymization provides partial encryption, we recommend that you implement standard encryption in order to ensure full protection and remain GDPR compliant.
5. Enable remote finding of devices
Once your remote developers are on-boarded, encourage them to switch on the function of finding their devices in case it gets lost. This option is available for both Windows and Mac devices and it allows users to delete important files remotely if their devices got stolen or lost.
6. Use an encrypted email program
When working with remote developers, make sure to protect your G Suite and encrypt all emails and messages. Implementing Email encryption is possible through an email encryption service called GAME, produced by Zix and provides secure email to G Suite users communicating outside Google’s secure cloud to all other email users.
Another email encryption method recommended by Google is Virtue. Virtue provides end to end encryption for email users on G suite and lets you have control on your data. You can choose to encrypt documents and files you send via email and restrict forwarding or sharing them.
If you are looking for a much simpler solution, there are chrome extensions such as FlowCrypt that lets you add protection to G suite through the addition of a secure compose button that sits atop the regular compose button. If the receiver doesn’t have FlowCrypt, they will need to access the email via password. This is easy to implement an option that can be used by both small and large businesses who want to take immediate actions to encrypt important emails within their organization.
7. Take advantage of cloud storage
Businesses are increasingly utilizing cloud-based storage as a safe option to protect their data from ransomware. After the GDPR came into force, there are a few issues to consider before choosing your cloud storage provider:
Whether it be through pseudonymization or encryption, make sure that the encryption methodology used by the cloud storage provider is managed by end-user, on the client-side.
Although the GDPR doesn’t mention whether the data should be stored within the EU, it’s better to choose EU based data centre if possible.
In this case, you have to check if the cloud company is certified under the EU privacy shield or provides additional security guarantees that align with the GDPR requirements.
Cloud-based storage solutions vary in terms of quality and price. Before subscribing, study all the options and choose what suits your business needs the most. We recommend pCloud Cloud Storage and SkyFlok. Both options are very affordable, simple to use and provide end to end encryption.
8. Sign a cyber insurance policy
Many forms of cyber insurance policies are eligible for taking care of the GDPR and cover all penalties and fines. However, before signing for a cyber insurance policy, make sure it covers the points below:
9. Have a written remote work policy
In the current age of technology and in line with the GDPR, remote work policies should be refined to reflect the current changes. Having a clearly written remote work policy will enhance your GDPR compliance and ease the process for you and your team. A good remote work policy should cover your data security principles, rules of copying files or documents, simplified explanation of the GDPR principles and guidelines, responsibilities of the developer and legal obligations. It should also cover the steps that each remote developer should take in the case of a data breach.
10. Train your remote developers
After drafting a remote work security policy, it’s crucial to invest time in training your remote developers on the principles of GDPR. Arrange an hour call with your new hires to discuss the ways in which business data could be breached and what they should do to minimize the risk. With the help of your IT department, educate your remote developers about various IT and security topics such as identifying phishing emails, implementing good password policy, and the rules of using public Wifi.
11. Appoint a data protection officer (DPO)
Many organizations have decided to appoint a data protection officer (DPO) responsible for overseeing the company’s overall data security strategy. The DPOs are also responsible for training employees involved in data processing on the GDPR principles. He or she must have access to the entire database of the company as he or she will be responsible for communicating with the authorities in case of a data breach.
When to appoint a DPO?
Appointing a DPO is required under certain circumstances according to the GDPR;
Under these conditions only you are required to appoint a DPO. Other than that, it’s up to you to decide the necessity of doing so.
What you need to do when you discover a data breach
When you discover a data breach, even if you don’t have complete knowledge of the case, it’s crucial to report it to the authorities within the timeframe. The GDPR stresses on the importance of reporting breach cases within 72 hours. Below are the immediate actions you need to take in the case of a data breach.
To protect your data and in order to comply with the GDPR, Remoteplatz organizes a GDPR awareness session for all new hires. This session ensures that remote developers are aware of the principles of the new regulation and are trained to comply with it.
2. A non-disclosure agreement (NDA)
Signing an NDA is compulsory for all our new hires. This ensures that your remote developers are bound not to replicate any of your proprietary information, code or business ideas. NDA’s also protect your client’s personal information and ensures that the developer understands the seriousness of the issue and is legally bound to protect all your client’s data and information.
In addition, we also insert a “work for hire” clause in our NDAs which emphasizes that the code produced by the remote developer remains the intellectual property of your company. And thus, the developer has no right to copy or use the code for rival products.
Ready to hire a remote developer?
Making sure your company is fully compliant with GDPR is an important step. With the aforementioned actionable tips, you can ensure the security of your data even if your employees are a thousand miles away.
Menna is an online marketing manager at Remoteplatz GmbH and a master's degree holder in Media and communication. She is passionate about marketing, social media and recruitment. More recently she has focused on remote working trends, best-practices and collaboration tools with a particular interest in the software industry. This post was originally published on remoteplatz.Back to Small Business blogs
Social Hire - the Social Media Agency for recruiters and small businesses. With outstanding Social Media Agency reviews on Google and exceptional client retention rates, the team at Social Hire really do know what works (and just as importantly, what doesn’t work). Why not engage a Social Media Agency that not only gets results, but that does so for a third of the cost of employing an in-house Social Media Manager? Simply click "Book a Call" to speak to one of our friendly team.