Hi everyone, I had a question not sure if here is the best place to ask.
I’m in the beginning stages of trying to see if I can negotiate working outside of the UK with my employer.
I currently work remotely from inside the UK, but would like to work outside of the UK for a short period in the same role.
One of the initial issues that has been flagged in this discussion is the handling of personal data, which my role involves a lot of.
My understanding is that our current use of a VPN negates this issue, as the data is being handled in exactly the same way, just that I will be handling it outside of the EU/UK. So is this a question of handling personal data over a VPN not meeting GDPR requirements, is it a question of my handling of that data outside of the EU being an issue, or is there no legal reason why I can’t handle that data outside of the EU (in terms of GDPR) as long as that data is communicated in a secure manner (ie using a VPN)?
At the moment my thoughts are that it is more about where the data is stored, rather than where it is being accessed from, is that correct?
Again, sorry if this is the wrong place, but just wondered people’s thoughts or if you can suggest a better place to ask this.
The ICO’s view is that unless there is a transfer to or access by another entity outside the U.K., there is no transfer. So assuming you remain employed by the U.K. entity but are simply working outside the U.K., that should not be considered a transfer for U.K. GDPR purposes. The rest of the U.K. GDPR will need to be complied with, but the restrictions on data transfers should not be an issue
To tie the different instances of this question together:
post or r/eulaw where I wrote a lengthy comment discussing ICO & EDPB guidance
post on r/sysadmin where the consensus is to ask your legal department
post on r/vpn without insightful responses, except for pointing out that accessing the data via a VPN will still imply processing in the country where you are physically present
At the moment my thoughts are that it is more about where the data is stored, rather than where it is being accessed from, is that correct?
On the technical side, do note that if you access that data remotely some or all of it might still end up stored locally on your device via cache, local storage, cookies… At least temporarily.
Furthermore, ask yourself the question “Can someone with access to my device access some of that data?”. And do note that if data gets stored on your device locally and said device is not encrypted (e.g. full disk encryption) the answer is yes, even if your device is password protected. That data might then leak if a third-party (e.g. local authorities, a thief…) gets their hands on the device.
To answer your question no. A VPN is a technical security control to protect the data in motion but its still a technical transfer (data in motion) from the UK, to where you are working, and then the data is processed there by you and stored in your ram.
That said the DPA’s seem to be relaxed towards this.
the data should be in control of the employer. so the laptop should be owned and secured by the employer - make sure data at rest is encrypted, probably using hard disk encryption. plus data in transit should also be secure -this would be covered by vpn.