in Employment, jobseeking & training
13 replies 1K views
I’m a remote worker and use my personal laptop. My work refuses to provide me with a laptop. We don’t connect to a work vpn /server. We take card details over the phone and have access to customers personal details. I know there is things that need to be done regarding data protection and gdpr, is it my responsibility or my employers ? When I asked my manager he said he’s not thought of it because he uses a work laptop.
Latest MSE News and Guides
Martin and MSE campaign win
April's 20% energy price guarantee hike postponedMSE News
Childcare budget boost
More support for children from nine months and those on Universal CreditMSE News
Energy Price Guarantee calculator
How much you'll likely pay from AprilMSE Tools
If you are connecting to a web site and the connection is over an HTTPS then that is encrypted traffic. From a GDPR point of view as long as there are processes and policies in place that you have to follow then they should be covered.
So how are you accessing the company systems for viewing customer details or taking payments if not VPN or VM?
In my day things in call centres were very lax compared to just before covid. We didn't have to be stripped of equipment, we had notepads and call recording was continuous. We've done full circle to some degree given the ability to stop people having a pen or notepad to record payment details has gone out the window
I would also check what your work's policies say - ( our IT policy allows us to access anything on a computer used for work (All machines belong to us, but we have a policy which permits a limtied amount of personal use . There is a reminder of the policy which pops up when you log in, and we have secure, encrypted VPN for WFH)
i wpuldalso be considering having issues with my perosonal machine and reuqesting that one is issued, although of course you mightfinfd that you are instead told you have to work in person from the office.
Data protection legislation and PCI (card processing compliance) are very different things. I managed PCI compliance as part of my job several years ago and and the computer used for processing was in scope for PCI compliance even if you were working on a VPN or via Citrix. Things might have changed since then of course but the guidance here implies not:
Protecting Payments While Working Remotely (pcisecuritystandards.org)
Ultimately though this is a risk for the employer and for them to manage as part of their PCI compliance. In this situation you should be aware of what you can or can't do because your training and policies should make it clear. If you haven't had any training then that's a good sign that the employer doesn't take it seriously.