Could mobile device management be the chink in your organisations GDPR armour?
Ahead of the General Data Protection Regulation (GDPR) taking effect in May 2018 many organisations are concentrating on areas of vulnerability where sensitive data may be concerned. One of the big challenges companies will face whilst working to achieve GDPR compliance will be the securing of Personally Identifiable Information PII (data that could potentially identify a specific individual) held on mobile devices. When we mention mobile devices we’re referring to mobile phones, laptops, tablets and any other type of portable mobile device.
GDPR compliance requirements
The GDPR requires stricter regulations on how companies handle their user’s privacy on mobile devices. The most noteworthy requirements being:
- Privacy by design: represented in article 25 of the GDPR, privacy by design requires any action undertaken by a company processing personal data to be done with data protection and privacy in mind at every step. Organisations must understand exactly what data is on, transmitted to, or collected and transmitted from all mobile devices. Furthermore, organisations will be expected to ensure their policies are explicitly transparent regarding what data is going to be collected, how it will be processed, and the length of time it will be stored for.
- Explicit Consent: data controllers must obtain explicit consent from data subjects to collect and process personal data. The GDPR expects data requests to be made in “clear and plain language”.
- Rights to be forgotten: a data subject should have the right to have his or her personal data erased and no longer processed where personal data is no longer necessary in relation to the purpose for which they are collected or otherwise processed.
- Data Breach Notification: The GDPR states that “as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it”. Organisations must ensure that they have the proper procedures in place to enable all staff to notify in the required timescale should such a breach occur.
Do you need a mobile device compliance strategy for GDPR?
GDRP matters to all businesses but if you’re unsure whether you need to link mobile device management with your GDPR strategy then ask yourself these questions:
- Do employees at your organisation use mobile devices to contact your customers?
- Is customer data saved onto mobile devices?
- Are employees at your organisation allowed to take their mobile devices out of the office?
- Are you able to lock down mobile devices should they become lost or stolen?
- Is there any management in place for your organisations mobile devices?
- Do employees attach their own mobile devices to your corporate systems such as e-mail?
Locking your data down on mobile devices
We understand that many organisations may not have locked down their mobile strategy yet so we’ve outlined some key considerations to prevent mobile device management being the chink in your GDPR armour.
Identify your GDPR risks:
It is impossible to manage and protect what you don’t know so the critical first step is to understand what data is on your mobile devices. This should give you a better understanding of what privacy risks may exist. To identify your GDPR risks you must audit how and where your data is located. Your organisation should be considering:
- What devices are taken offsite?
- What information is stored locally on devices?
- Do employees use personal devices?
- Are mobile devices suitably protected?
- Can you remotely locate / lock / wipe devices?
Centrally manage and safeguard mobile devices:
Mobile Device Management provides dynamic, robust security and compliance management capabilities to continuously monitor devices and take action.
Deployment is quick. In just a few clicks, IT administrators can start enrolling devices and quickly manage the entire mobile device lifecycle – from enrolment to enterprise integration, configuration and management, monitoring and security, support, and analytics and reporting.
- Enforce Basic Security: Password, Encryption, and Remote Wipe
- Set security policies and enforce them with automated compliance
- Safely share and update documents and content
- Manage Application Restrictions
- Enforce encryption and password visibility settings
- Detect and restrict jailbroken and rooted devices
- Remotely locate, lock and wipe lost or stolen devices, selectively wipe corporate data leaving personal data intact
- Enable geo-fencing rules to enforce location-based compliance
Monitor and report on mobile devices:
Mobility Intelligence dashboards deliver an interactive, graphical summary of our mobile device management operations and compliance allowing IT to report on demand across the entire enterprise.
- Detailed hardware and software inventory reports
- Configuration and vulnerability details
- Integrated smart search capabilities across virtually any attribute
- Customisable watch lists to track and receive alerts
- BYOD (bring your own device) privacy settings block collection of personally identifiable information
- Optional mobile expense management for continuous data usage monitoring and alerting
If underprepared, mobile device management certainly could be the chink in your organisations GDPR armour but by implementing the appropriate business processes you should be on your way to achieving GDPR compliance. Organisations embracing the use of mobile devices shouldn’t be put off by the implementation of GDPR, but instead, use the opportunity to develop their mobile device strategy and improve their overall cyber security.
AAG IT is committed to helping businesses achieve compliance in time for GDPR’s advent. If you’d like to talk to us about your mobile device management or any other GDPR matter please don’t hesitate to contact us and we’ll be happy to offer our expert advice.