Managing a vast mobile fleet of phones, laptops and other devices can be a huge headache for IT managers. Especially when the devices contain your company’s sensitive data.
With the recent passing of the GDPR, businesses located within the EU have an additional concern; legal consequences for failing to protect against data loss.
Here at Prey, we understand how daunting managing a large inventory of mobile devices can be. For IT managers at large enterprises, they often find themselves managing dozens, hundreds, or even thousands of cell-phones, laptops, and tablets. Maintaining the security of the data on these devices is crucial for the employees and the business itself.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union regulation that governs data protection and privacy in the EU and the European Economic Area (EEA), as well as the transfer of personal data outside these regions.
In a nutshell, the GDPR aims to give individuals located in the EU and EEA more control over their personal data, by requiring websites and other controllers that hold and process such data to implement data protection measures.
Such measures include:
- The right of users to request access to their collected data, and the right to be erased.
- Informing users of their rights in clear and unambiguous language, through pop-ups or other notifications.
- Integration of data protection safeguards such as pseudonymization of data (by encryption, tokenization, or other means), setting privacy to the highest level by default, and maintaining records of data processing activities.
- The appointment of a data protection officer to ensure adherence to the rules.
While the regulation is for the benefit of individuals located in the EU and EEA, it applies to all enterprises that process such personal data, regardless of their location.
The GDPR was adopted in 2016 and went into effect in 2018. It has since become a model for data protection laws in other regions, such as the similarly structured California Consumer Privacy Act.
GDPR Impact on Mobile Devices
When it went into effect on May 25th, 2018, GDPR began requiring organizations in the European Union to change their IT practices, especially concerning mobile devices.
The rapid proliferation of these devices in the workplace is already creating new challenges in security, but approaching data with the enforcement of GDPR will greatly increase the priority of data protection initiatives. The effects of the GDPR on mobile device management can be categorized into the following four areas:
- Data audits
- Device visibility
- Security threats
- Separating personal and business data
The GDPR requires affected organizations to track the circumstances under which Personal Identifiable Information (PII) is collected, stored, and used.
In particular, organizations must obtain explicit permission to collect this data from the subject, who can withdraw that permission at any time. A data audit allows an organization to identify any gaps in these requirements before a sanction comes in. The most significant issues to explore in the audit include identifying what data is stored, how it was collected, and who controls it.
The data audit must identify the data that qualifies as PII according to GDPR, including special categories such as sensitive PII. Personal Identifiable Information that belongs to children under 13 years of age must also be identified since this data has additional collection requirements. Additional issues in the data audit category include the reasons for collecting the data and how it’s used.
A data controller determines why and how PII is processed, while a data processor performs these procedures on behalf of the data controller. The GDPR generally requires controllers and processors to have an agreement in place that defines these duties in greater detail.
GDPR pushes organizations to greatly increase their knowledge about the devices and applications that have access to their data, especially mobile devices.
A data protection officer (DPO) must be able to determine the exact actions that occurred during a data breach, which generally requires the use of some type of audit trail. The audit trail also needs to record the actions the DPO took in response to the breach.
Mobile devices owned by an employee rather than a company pose a particular challenge to security since the company has no direct knowledge of these devices. However, the GDPR still requires mobile devices to comply with its security policies before it can be granted access to an organization’s network, regardless of the device’s ownership.
The key to reducing the risk of mobile devices is to obtain greater visibility of them and exercise more dynamic control over their operation. These capabilities allow an organization to properly classify mobile devices, which is necessary for ensuring GDPR compliance.
Protecting an organization’s mobile devices from security threats is vital for complying with GDPR.
Security configurations will change, and new policies will need to be implemented on the use of mobile devices and applications. The ability to monitor security on an ongoing basis is also necessary for GDPR compliance, especially attacks on an operating system.
Implementing this level of security for mobile devices requires organizations to consider several factors such as protecting a customer’s PII while allowing employees to access that data. These security measures must also be cost-effective without interfering with employees doing their job.
One solution to this problem is a layered approach to mobile security such that the OS, device, user and application are each protected by a separate layer of security. While each of these layers has its own set of vulnerabilities, these vulnerabilities are protected by at least one other layer.
Separating Personal and Business Data
GDPR requires organizations to identify PII. However, this process is more difficult when employees use their own mobile devices to connect to an organization’s network since these devices contain both personal and business data.
Ideally, the organization’s mobile device controller shouldn’t be able to access PII such as personal email accounts or applications. This capability will be highly helpful for complying with GDPR’s confidentiality and integrity principles.
The separation of personal and business data will be more challenging under GDPR because it has a broader definition of personal data than the DPD. Article 4 of the GDPR states that PII includes any information related to an identified or identifiable natural person. Note that this definition doesn’t require a person’s name to be known for information to qualify as PII.
Furthermore, PII now includes online identifiers such as mobile device IDs and IP addresses under certain circumstances. Generally, a data set becomes PII when it uniquely identifies a person, even when each specific piece of information is insufficient to do so by itself. Thus, a mobile device ID can become PII when combined with a place of employment or telephone number.
How Prey Can Help With GDPR Mobile Device Management
Prey helps companies maintain GDPR compliance. These Prey features help protect data that’s stored on mobile devices.
- Track and locate mobile devices
- Encrypt data
- Remotely lock mobile devices
- Remotely delete data from stolen or lost devices
With Prey, protecting your data and staying GDPR compliant is easy.
As we can see, managing your mobile device fleet is a critical aspect of GDPR compliance. Especially in 2018, when BYOD has seen a resurgence, with a MarketsandMarkets study indicating adoption rates of 36 percent as of the beginning of 2017.
As mobile usage in corporations intensifies over time, there will be no excuse for not treating this subject with the seriousness it deserves. Time to get crackin’!.