Here at Prey we know managing vast mobile fleets can be a pain in the you-know-what. We are talking dozens, hundreds, or even thousands of cell-phones, laptops, and tablets chock-full not only of corporate data, but also user data.
And if you’re located under EU’s regulation, or if you manage or process data coming from European citizens, you will need to pay a special type of attention to your device’s management.
The General Data Protection Regulation (GDPR) of the European Union (EU) describes the protection of personally identifiable information (PII) within the EU, including the transfer of such data outside the EU.
As of the past May 25th, GDPR requires organizations in the EU to change their IT practices, especially with respect to mobile devices.
The rapid proliferation of these devices in the workplace is already creating new challenges in security, but approaching data with the enforcement of GDPR will greatly increase the priority of data protection initiatives. The effects of the GDPR on mobile device management can be categorized into the following four areas:
- Data audits
- Device visibility
- Security threats
- Separating personal and business data
The GDPR requires affected organizations to track the circumstances under which Personal Identifiable Information (PII) is collected, stored and used.
In particular, organizations must obtain explicit permission to collect this data from the subject, who can withdraw that permission at any time. A data audit allows an organization to identify any gaps in these requirements before a sanction comes in. The most significant issues to explore in the audit include identifying what data is stored, how it was collected and who controls it.
The audit must identify the data that qualifies as PII according to GDPR, including special categories such as sensitive PII. Personal Identifiable Information that belongs to children under 13 years of age must also be identified, since this data ha additional collection requirements. Additional issues in this category include the reasons for collecting the data and the ways in which it’s used.
A data controller determines why and how PII is processed, while a data processor performs these procedures on behalf of the data controller. The GDPR generally requires controllers and processors to have an agreement in place that defines these duties in greater detail.
GDPR pushes organizations to greatly increase their knowledge about the devices and applications that have access to their data, especially mobile devices.
A data protection officer (DPO) must be able to determine the exact actions that occurred during a data breach, which generally requires the use of some type of audit trail. The audit trail also needs to records the actions the DPO took in response to the breach.
Mobile devices owned by an employee rather than a company pose a particular challenge to security since the company has no direct knowledge of these devices. However, the GDPR still requires mobile devices to comply with its security policies before it can be granted access to an organization’s network, regardless of the device’s ownership.
The key to reducing the risk of mobile devices is to obtain greater visibility of them and exercise more dynamic control over their operation. These capabilities allow an organization to properly classify mobile devices, which is necessary for ensuring their compliance.
Protecting an organization’s mobile devices from security threats is vital for complying with GDPR.
Security configurations will change new policies will need to be implemented on the use of mobile devices and applications. The ability to monitor security on an ongoing basis is also necessary for GDPR compliance, especially attacks on an operating system.
Implementing this level of security for mobile devices requires organizations to consider several factors such as protecting a customer’s PII while allowing employees to access that data. These security measures must also be cost effective without interfering with employees doing their job.
One solution to this problem is a layered approach to mobile security such that the OS, device, user and application are each protected by a separate layer of security. While each of these layers has its own set of vulnerabilities, these vulnerabilities are protected by at least one other layer.
Separating Personal and Business Data
GDPR requires organizations to clearly identify PII. However, this process is more difficult when employees use their own mobile devices to connect to an organization’s network, since these devices contain both personal and business data.
Ideally, the organization’s mobile device controller shouldn’t be able to access PII such as personal email accounts or applications. This capability will be highly helpful for complying with GDPR’s confidentiality and integrity principles.
The separation of personal and business data will be more challenging under GDPR because it has a broader definition of personal data than the DPD. Article 4 of the GDPR states that PII includes any information related to an identified or identifiable natural person. Note that this definition doesn’t require a person’s name to be known for information to qualify as PII.
Furthermore, PII now includes online identifiers such as mobile device IDs and IP addresses under certain circumstances. Generally, a data set becomes PII when it uniquely identifies a person, even when each specific piece of information is insufficient to do so by itself. Thus, a mobile device ID can become PII when combined with a place of employment or telephone number.
As we can see, managing your mobile device fleet is a critical aspect for GDPR compliance. Especially in 2018, when BYOD has seen a resurgence, with a MarketsandMarkets study indicating adoption rates of 36 percent as of the beginning of 2017.
As mobile usage in corporations intensifies over time, there will be no excuse for not treating this subject with the seriousness it deserves. Time to get crackin’!