Cyber Security

How Does GDPR Affect Mobile Device Management?

We know managing vast mobile fleets can be a pain in the you-know-what. Especially when they are chock-full of both private and corporate sensitive data!

Managing a vast mobile fleet of phones, laptops and other devices can be a huge headache for IT managers. Especially when the devices contain your company’s sensitive data.

With the recent passing of the GDPR, businesses located within the EU have an additional concern; legal consequences for failing to protect against data loss.

Here at Prey, we understand how daunting managing a large inventory of mobile devices can be. For IT managers at large enterprises, they often find themselves managing dozens, hundreds, or even thousands of cell-phones, laptops, and tablets. Maintaining the security of the data on these devices is crucial for the employees and the business itself.

Mobile Device Management and GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union regulation that governs data protection and privacy in the EU and the European Economic Area (EEA), as well as the transfer of personal data outside these regions.

In a nutshell, the GDPR aims to give individuals located in the EU and EEA more control over their personal data, by requiring websites and other controllers that hold and process such data to implement data protection measures.

Such measures include:

  • The right of users to request access to their collected data, and the right to be erased.
  • Informing users of their rights in clear and unambiguous language, through pop-ups or other notifications.
  • Integration of data protection safeguards such as pseudonymization of data (by encryption, tokenization, or other means), setting privacy to the highest level by default, and maintaining records of data processing activities.
  • The appointment of a data protection officer to ensure adherence to the rules.

While the regulation is for the benefit of individuals located in the EU and EEA, it applies to all enterprises that process such personal data, regardless of their location.

The GDPR was adopted in 2016 and went into effect in 2018. It has since become a model for data protection laws in other regions, such as the similarly structured California Consumer Privacy Act

GDPR Impact on Mobile Devices

When it went into effect on May 25th, 2018, GDPR began requiring organizations in the European Union to change their IT practices, especially concerning mobile devices.

The rapid proliferation of these devices in the workplace is already creating new challenges in security, but approaching data with the enforcement of GDPR will greatly increase the priority of data protection initiatives. The effects of the GDPR on mobile device management can be categorized into the following four areas:

  • Data audits
  • Device visibility
  • Security threats
  • Separating personal and business data

Data Audits

The GDPR requires affected organizations to track the circumstances under which Personal Identifiable Information (PII) is collected, stored, and used.

In particular, organizations must obtain explicit permission to collect this data from the subject, who can withdraw that permission at any time. A data audit allows an organization to identify any gaps in these requirements before a sanction comes in. The most significant issues to explore in the audit include identifying what data is stored, how it was collected, and who controls it.

The data audit must identify the data that qualifies as PII according to GDPR, including special categories such as sensitive PII. Personal Identifiable Information that belongs to children under 13 years of age must also be identified since this data has additional collection requirements. Additional issues in the data audit category include the reasons for collecting the data and how it’s used.

The method of collecting PII is also a vital reason for performing an audit. Common data sources include an organization’s website, telephone marketing, and third parties. The audit should also discover if the organization disclosed its privacy policy when it collected this data. 

A data controller determines why and how PII is processed, while a data processor performs these procedures on behalf of the data controller. The GDPR generally requires controllers and processors to have an agreement in place that defines these duties in greater detail.

Device Visibility

GDPR pushes organizations to greatly increase their knowledge about the devices and applications that have access to their data, especially mobile devices.

A data protection officer (DPO) must be able to determine the exact actions that occurred during a data breach, which generally requires the use of some type of audit trail. The audit trail also needs to record the actions the DPO took in response to the breach.

Mobile devices owned by an employee rather than a company pose a particular challenge to security since the company has no direct knowledge of these devices. However, the GDPR still requires mobile devices to comply with its security policies before it can be granted access to an organization’s network, regardless of the device’s ownership.

The key to reducing the risk of mobile devices is to obtain greater visibility of them and exercise more dynamic control over their operation. These capabilities allow an organization to properly classify mobile devices, which is necessary for ensuring GDPR compliance.

Security Threats

Protecting an organization’s mobile devices from security threats is vital for complying with GDPR.

Security configurations will change, and new policies will need to be implemented on the use of mobile devices and applications. The ability to monitor security on an ongoing basis is also necessary for GDPR compliance, especially attacks on an operating system.

Implementing this level of security for mobile devices requires organizations to consider several factors such as protecting a customer’s PII while allowing employees to access that data. These security measures must also be cost-effective without interfering with employees doing their job.

One solution to this problem is a layered approach to mobile security such that the OS, device, user and application are each protected by a separate layer of security. While each of these layers has its own set of vulnerabilities, these vulnerabilities are protected by at least one other layer.

Separating Personal and Business Data

GDPR requires organizations to identify PII. However, this process is more difficult when employees use their own mobile devices to connect to an organization’s network since these devices contain both personal and business data.

Ideally, the organization’s mobile device controller shouldn’t be able to access PII such as personal email accounts or applications. This capability will be highly helpful for complying with GDPR’s confidentiality and integrity principles.

The separation of personal and business data will be more challenging under GDPR because it has a broader definition of personal data than the DPD. Article 4 of the GDPR states that PII includes any information related to an identified or identifiable natural person. Note that this definition doesn’t require a person’s name to be known for information to qualify as PII.

Furthermore, PII now includes online identifiers such as mobile device IDs and IP addresses under certain circumstances. Generally, a data set becomes PII when it uniquely identifies a person, even when each specific piece of information is insufficient to do so by itself. Thus, a mobile device ID can become PII when combined with a place of employment or telephone number.

How Prey Can Help With GDPR Mobile Device Management

Prey helps companies maintain GDPR compliance. These Prey features help protect data that’s stored on mobile devices.

  • Track and locate mobile devices
  • Encrypt data
  • Remotely lock mobile devices
  • Remotely delete data from stolen or lost devices

With Prey, protecting your data and staying GDPR compliant is easy.

The Takeaway

As we can see, managing your mobile device fleet is a critical aspect of GDPR compliance. Especially in 2018, when BYOD has seen a resurgence, with a MarketsandMarkets study indicating adoption rates of 36 percent as of the beginning of 2017.

As mobile usage in corporations intensifies over time, there will be no excuse for not treating this subject with the seriousness it deserves. Time to get crackin’!

data breach
About the author

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.