Personal laptops

I’m a remote worker and use my personal laptop. My work refuses to provide me with a laptop. We don’t connect to a work vpn /server. We take card details over the phone and have access to customers personal details. I know there is things that need to be done regarding data protection and gdpr, is it my responsibility or my employers ? When I asked my manager he said he’s not thought of it because he uses a work laptop. 
«1

Comments

  • 400ixl
    400ixl Posts: 4,482 Forumite
    1,000 Posts Third Anniversary Name Dropper
    So what are you connecting to from your personal device?

    If you are connecting to a web site and the connection is over an HTTPS then that is encrypted traffic. From a GDPR point of view as long as there are processes and policies in place that you have to follow then they should be covered.


  • Marcon
    Marcon Posts: 13,889 Forumite
    Eighth Anniversary 10,000 Posts Name Dropper Combo Breaker
    Hello_hb said:
    I’m a remote worker and use my personal laptop. My work refuses to provide me with a laptop. We don’t connect to a work vpn /server. We take card details over the phone and have access to customers personal details. I know there is things that need to be done regarding data protection and gdpr, is it my responsibility or my employers ? When I asked my manager he said he’s not thought of it because he uses a work laptop. 
    Ultimately it's your employer who is responsible for what its employees do. Have you seen your employer's policy on data protection/received any training? If not, now would be good...
    Googling on your question might have been both quicker and easier, if you're only after simple facts rather than opinions!  
  • elsien
    elsien Posts: 35,578 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    So if you told them your laptop has died and you couldn’t afford to buy a new one, what would their response be?
    All shall be well, and all shall be well, and all manner of things shall be well.

    Pedant alert - it's could have, not could of.
  • DullGreyGuy
    DullGreyGuy Posts: 17,549 Forumite
    10,000 Posts Second Anniversary Name Dropper
    Hello_hb said:
    I’m a remote worker and use my personal laptop. My work refuses to provide me with a laptop. We don’t connect to a work vpn /server. We take card details over the phone and have access to customers personal details. I know there is things that need to be done regarding data protection and gdpr, is it my responsibility or my employers ? When I asked my manager he said he’s not thought of it because he uses a work laptop. 
    Ultimately, both... their's is higher in terms of making sure employees have appropriate tools etc but you also have a responsibility to follow the company rules.

    So how are you accessing the company systems for viewing customer details or taking payments if not VPN or VM? 

    In my day things in call centres were very lax compared to just before covid. We didn't have to be stripped of equipment, we had notepads and call recording was continuous. We've done full circle to some degree given the ability to stop people having a pen or notepad to record payment details has gone out the window
  • TBagpuss
    TBagpuss Posts: 11,236 Forumite
    Part of the Furniture 10,000 Posts Name Dropper
    It's primarily your employers respnsbility. Do they have a Data Protection officer? If so, perhaps flag your conerns to them (in writing and keep a copy ) 

    I would also check what your work's policies say - ( our IT policy allows us to access anything on a computer used for work (All machines belong to us, but we have a policy which permits a limtied amount of personal use . There is a reminder of the policy which pops up when you log in, and we have secure, encrypted VPN for WFH)

    i wpuldalso be considering having issues with my perosonal machine and reuqesting that one is issued, although of course you mightfinfd that you are instead told you have to work in person from the office. 
    All posts are my personal opinion, not formal advice Always get proper, professional advice (particularly about anything legal!)
  • Plasticman
    Plasticman Posts: 2,534 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    If you're taking payment card details then you absolutely should be using a work computer or your employer won't be compliant with the PCI DSS requirements. Their (financial) liability though rather than yours. 
  • DullGreyGuy
    DullGreyGuy Posts: 17,549 Forumite
    10,000 Posts Second Anniversary Name Dropper
    If you're taking payment card details then you absolutely should be using a work computer or your employer won't be compliant with the PCI DSS requirements. Their (financial) liability though rather than yours. 
    Would love a quote @plasticman as with the likes of Citrix you are technically working on a VM on the employers servers. I dont take payments but the DPO was fully comfortable that no matter where I was the data wasn't leaving the UK as the VM was in East London
  • JReacher1
    JReacher1 Posts: 4,661 Forumite
    Part of the Furniture 1,000 Posts Name Dropper I've been Money Tipped!
    If you're taking payment card details then you absolutely should be using a work computer or your employer won't be compliant with the PCI DSS requirements. Their (financial) liability though rather than yours. 
    Would love a quote @plasticman as with the likes of Citrix you are technically working on a VM on the employers servers. I dont take payments but the DPO was fully comfortable that no matter where I was the data wasn't leaving the UK as the VM was in East London
    agree 100% with this. Whether it is your device or your employers is irrelevant. Using Citrix or another VPN will meet all data requirements. 
  • Plasticman
    Plasticman Posts: 2,534 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    If you're taking payment card details then you absolutely should be using a work computer or your employer won't be compliant with the PCI DSS requirements. Their (financial) liability though rather than yours. 
    Would love a quote @plasticman as with the likes of Citrix you are technically working on a VM on the employers servers. I dont take payments but the DPO was fully comfortable that no matter where I was the data wasn't leaving the UK as the VM was in East London

    Data protection legislation and PCI (card processing compliance) are very different things. I managed PCI compliance as part of my job several years ago and and the computer used for processing was in scope for PCI compliance even if you were working on a VPN or via Citrix. Things might have changed since then of course but the guidance here implies not:

    Protecting Payments While Working Remotely (pcisecuritystandards.org)

    Ultimately though this is a risk for the employer and for them to manage as part of their PCI compliance. In this situation you should be aware of what you can or can't do because your training and policies should make it clear. If you haven't had any training then that's a good sign that the employer doesn't take it seriously. 


  • DullGreyGuy
    DullGreyGuy Posts: 17,549 Forumite
    10,000 Posts Second Anniversary Name Dropper
    If you are talking about VM software like Citrix then the machine you are working on is the virtual machine on the employers servers not the device physically in front of the user. 
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.1K Banking & Borrowing
  • 252.8K Reduce Debt & Boost Income
  • 453.1K Spending & Discounts
  • 243.1K Work, Benefits & Business
  • 597.4K Mortgages, Homes & Bills
  • 176.5K Life & Family
  • 256K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.