Personal laptops

Hello_hb

I’m a remote worker and use my personal laptop. My work refuses to provide me with a laptop. We don’t connect to a work vpn /server. We take card details over the phone and have access to customers personal details. I know there is things that need to be done regarding data protection and gdpr, is it my responsibility or my employers ? When I asked my manager he said he’s not thought of it because he uses a work laptop. 

400ixl

So what are you connecting to from your personal device?

If you are connecting to a web site and the connection is over an HTTPS then that is encrypted traffic. From a GDPR point of view as long as there are processes and policies in place that you have to follow then they should be covered.

Marcon

Hello_hb said:

I’m a remote worker and use my personal laptop. My work refuses to provide me with a laptop. We don’t connect to a work vpn /server. We take card details over the phone and have access to customers personal details. I know there is things that need to be done regarding data protection and gdpr, is it my responsibility or my employers ? When I asked my manager he said he’s not thought of it because he uses a work laptop. 

Ultimately it's your employer who is responsible for what its employees do. Have you seen your employer's policy on data protection/received any training? If not, now would be good...

elsien

So if you told them your laptop has died and you couldn’t afford to buy a new one, what would their response be?

DullGreyGuy

Hello_hb said:

I’m a remote worker and use my personal laptop. My work refuses to provide me with a laptop. We don’t connect to a work vpn /server. We take card details over the phone and have access to customers personal details. I know there is things that need to be done regarding data protection and gdpr, is it my responsibility or my employers ? When I asked my manager he said he’s not thought of it because he uses a work laptop. 

Ultimately, both... their's is higher in terms of making sure employees have appropriate tools etc but you also have a responsibility to follow the company rules.

So how are you accessing the company systems for viewing customer details or taking payments if not VPN or VM? 

In my day things in call centres were very lax compared to just before covid. We didn't have to be stripped of equipment, we had notepads and call recording was continuous. We've done full circle to some degree given the ability to stop people having a pen or notepad to record payment details has gone out the window

TBagpuss

It's primarily your employers respnsbility. Do they have a Data Protection officer? If so, perhaps flag your conerns to them (in writing and keep a copy ) 

I would also check what your work's policies say - ( our IT policy allows us to access anything on a computer used for work (All machines belong to us, but we have a policy which permits a limtied amount of personal use . There is a reminder of the policy which pops up when you log in, and we have secure, encrypted VPN for WFH)

i wpuldalso be considering having issues with my perosonal machine and reuqesting that one is issued, although of course you mightfinfd that you are instead told you have to work in person from the office. 

Plasticman

If you're taking payment card details then you absolutely should be using a work computer or your employer won't be compliant with the PCI DSS requirements. Their (financial) liability though rather than yours. 

DullGreyGuy

Plasticman said:

If you're taking payment card details then you absolutely should be using a work computer or your employer won't be compliant with the PCI DSS requirements. Their (financial) liability though rather than yours. 

Would love a quote @plasticman as with the likes of Citrix you are technically working on a VM on the employers servers. I dont take payments but the DPO was fully comfortable that no matter where I was the data wasn't leaving the UK as the VM was in East London

JReacher1

DullGreyGuy said:

Plasticman said:

If you're taking payment card details then you absolutely should be using a work computer or your employer won't be compliant with the PCI DSS requirements. Their (financial) liability though rather than yours. 

Would love a quote @plasticman as with the likes of Citrix you are technically working on a VM on the employers servers. I dont take payments but the DPO was fully comfortable that no matter where I was the data wasn't leaving the UK as the VM was in East London

agree 100% with this. Whether it is your device or your employers is irrelevant. Using Citrix or another VPN will meet all data requirements. 

Plasticman

DullGreyGuy said:

Plasticman said:

If you're taking payment card details then you absolutely should be using a work computer or your employer won't be compliant with the PCI DSS requirements. Their (financial) liability though rather than yours. 

Would love a quote @plasticman as with the likes of Citrix you are technically working on a VM on the employers servers. I dont take payments but the DPO was fully comfortable that no matter where I was the data wasn't leaving the UK as the VM was in East London

Data protection legislation and PCI (card processing compliance) are very different things. I managed PCI compliance as part of my job several years ago and and the computer used for processing was in scope for PCI compliance even if you were working on a VPN or via Citrix. Things might have changed since then of course but the guidance here implies not:

Protecting Payments While Working Remotely (pcisecuritystandards.org)

Ultimately though this is a risk for the employer and for them to manage as part of their PCI compliance. In this situation you should be aware of what you can or can't do because your training and policies should make it clear. If you haven't had any training then that's a good sign that the employer doesn't take it seriously. 

DullGreyGuy

If you are talking about VM software like Citrix then the machine you are working on is the virtual machine on the employers servers not the device physically in front of the user.