GDPR means that if you process personal data, you must have the appropriate organisational and technical measures in place to protect that data from misuse, loss or unauthorised access. This becomes a particularly acute issue when the majority or all of your people are working from home
Apart from GDPR considerations, IT systems and infrastructure are likely to be under additional strain. You need to carry out sufficient testing to ensure they can cope and that there is no risk of interruption to essential functions. Added to that, there is likely to be an increased risk of hacking, so you need to have maximum security protection, particularly if you handle financial transactions.
Yes, you should tell your employees and any visitors. They may need to know in order to protect their own health.
However, under the data protection law, you must only provide the minimum amount of information about people. According to the law, you must judge for yourself whether it is necessary to reveal the name of the person who has contracted the virus.
This is a difficult area to give guidance about. However, it would be reasonable to tell people who had come into direct contact with someone who contracted COVID-19 the name of that person.
The requirements are the same as usual, which means you must ensure that any personal data you hold is secure, wherever people are working.
If you already have good homeworking systems in place you should keep checking your systems are secure and your people are well trained in how to handle personal data.
However, if homeworking has caught you by surprise you may need to be doing more to protect against leakages of personal data. As a minimum you should:
You can read the government’s guidance on cyber security for businesses here.