Working remotely (which has nothing “smart”, by the way) is a convenient choice from the point of view of a company (which can cut organizational costs and risks, even criminal ones), a little less so from that of the employee who, in the name of an apparent “freedom” is, little by little, in a barbaric isolation, similar to house arrest, which accentuates its role as an anonymous cog in a mechanism larger than him.
Net of these aspects of work psychology – which I am not competent to deal with – the fact remains that the actual practicability of remote work is strongly limited by cultural resistance such as the refusal to accept productivity controls, albeit in forms that guarantee the protection of the worker’s dignity (and it is certainly not the jobs act that has achieved this result) and by regulations that bureaucratize it unnecessarily: just think of the obligations relating to the “home workplace”, or the instrumental interpretations of the GDPR that are doing so much damage to the spread of a fair culture of personal data processing.
The existence of this ballast has emerged clearly with the need to reduce the displacement and proximity of people due to the health emergency caused by COVID-19. In order to allow remote working, in fact, it has been necessary to derogate from the plethora of requirements imposed by the legislation, in favour of faster keeping people at home. But while the rigidity of remote working has been made more flexible, nothing has been done about the other Moloch that afflicts companies: the application (instrumentally complicated by unscrupulous interpretations) of the GDPR.
Let’s start from a premise: in Italy we are – normatively – in a state of emergency. It is not yet the state of public danger referred to in art. 214 of the Law on Public Security, but it is, however, a condition that legitimises even strong exceptions (as long as within the constitutional principles) to the laws in force.
That being said, employers who are the data controllers have the duty to adopt all the necessary measures to protect the health of workers also under the legislation on health and safety in the workplace. The “remoteisation” of activities, therefore, is first of all a measure that should be considered within the mandatory health hazard risk assessment policy. This constitutes a “strong” legal basis to handle any question of personal data processing, which should always be “read” in the light of the protection of a higher interest than mere data management.
It must be remembered, however,that the state of health emergency – which belongs to the more general category of public security – is one of the cases in which the regulation on the protection of personal data does not apply: recitals 16 and 19 state this very clearly.
This does not mean that certain precautions regarding, for example, the reliability or availability of data can be ignored, because even if the GDPR would not apply, it would still remain a general responsibility under Article 2043 – if not even 2050, as it was in the old legislation – of the Civil Code.
Wanting to establish a hierarchy of requirements relating to the processing of personal data – but in reality to the management of the company’s information assets – the first place belongs to the respect of security rules, while the rest of the more bureaucratic part is – frankly – to be put at the bottom of the list. The radical change in the internal organization of a company, in fact, requires economic and organizational efforts that are not foreseen in the budget and that, in order to be carried out, necessarily imply not being able to deal with other aspects, even if – abstractly – relevant.
In this context, therefore, the greatest weight in terms of (also) legal responsibility lies on the shoulders of the employees. They have the duty to respect the safety rules in order to avoid, especially with the use of their own equipment and connectivity, that the company’s information assets are damaged by unauthorized dissemination or unavailability, even temporarily. This also implies the need, on the part of the employer, for stricter and more stringent controls on what passes on its network.
If the number of people accessing from outside increases “exponentially” (for once I also abuse this word), the risk of harmful events also increases (malware such as Mimikatz are just one of many examples). Therefore, it is necessary to adopt clear policies that, on the one hand, increase monitoring and controls and, on the other, severely sanction – I would say in “Chinese style” – the non-observance of security rules. And this, I repeat, not only and not so much for the respect of Art. 32 of the GDPR, but to allow the effective implementation of the measures of social distancing made possible by remotely working.