Are You GDPR Compliant?

A hot topic of the year has no doubt been with the General Data Privacy Regulations (GDPR). As of 25th May 2018, businesses must make sure they comply with a strict new set of rules surrounding data protection and retention. Failure to comply with these new rules can see fines of up to 4% of a companies global turnover. Businesses are preparing for the new rules but one aspect of security which is often overlooked is the protection and control of mobile devices.  

How GDPR requirements apply to mobile:

One of the key elements of GDPR is “Privacy by Design,” a framework based on proactively embedding privacy into the design and operation of IT systems, network equipment, and business practices. This includes mobile devices as employees are actively connecting to the network and using their devices to perform their various business functions and handle GDPR-regulated data associated with the company and its customers, partners, and other employees.

A number of mobile risks exist for businesses:

  • Malicious apps that: leak or infiltrate information, damage devices by embedding so deeply that they cannot be removed from the device even with a factory reset, and provide unauthorised remote access.
  • Device threats that heighten attacker permissions to spy on communications occurring on the device, causing catastrophic data loss.
  • Mobile apps that access contact records and send data to servers residing outside of the EU.
  • Mobile devices that are connected to a network that has been compromised by a man-in-the middle attack, resulting in data being siphoned off the device.

Unintentional data leakage is likely to play a key role. For example, employees may pull information about sales leads onto their mobile devices’ notes app or a cloud storage instance. In GDPR, individuals in the EU have the “right to be forgotten.” If one of those sales leads requested that the company delete their information, the company would not know about, nor have access to the data in those personal apps and cloud storage instances, and potentially incur a GDPR infringement.

GDPR-regulated data is on mobile devices

A recent Lookout survey showed the following information employees have access to via their corporate mobile devices, each of which carries with it some kind of GDPR-regulated personal data (e.g., contact information, email addresses) or access to systems that may store personal data:

Survey questions 2

This personal information is what businesses are excepted to protect under the new GDPR rules. Mobile Device Management can therefore play a key part in becoming compliant.

Find out more about our Mobile Device Management software.