Perspectives from Phil Cracknell: mobile security and GDPR
Challenges of GDPR and mobile security
“GDPR hits us next May and it’s really being compounded as a problem by the fact that mobile devices have become more prevalent within organisations. Whether they’ve got policies for them or not, they still seem to have them. GDPR has a number of strict considerations that most businesses are preparing for, but they’re not necessarily preparing for those considerations on mobile devices. They’re probably not intending for personal data to make it onto the mobile devices.
“That said, if there’s a possibility that it can, then provision should be made for that. One of the lesser-known facts about GDPR is that if the data exists where it shouldn’t – whether it’s been leaked or picked up by someone else – you’re still subject to a fine. So if data is found on a mobile device and is not detected quickly and taken care of, and deleted or archived in some way, then that organisation may find itself in trouble because of a mobile device they didn’t even know they’d got on their estate.
“Of course, there are no silver bullets for GDPR. There’s a huge wave of readiness material hitting the market right now. And yet we’re still in a position where the detail to GDPR is still being fully fleshed out. The mechanism to gain compliance hasn’t been agreed, or the organisation that’s going to govern the compliance. So we don’t actually know what we’re aiming for, and mobile devices as they introduce themselves to our network – be they corporate-issued or personally owned – will ultimately try to mirror the functionality and content of a normal desktop. There’s more of a move towards having all the same apps on your phone as you have on your tablet or your laptop.
“So you need to control devices if they’re lost or stolen. Of course, the problem is with a personally owned device, you may not have the rights to wipe that device and the user’s additional content. There are other considerations as well that will cause legal and HR issues in terms of GDPR over mobile devices, namely the use of that mobile device during the day if it’s personally owned. Can the user send a tweet? Can they go on Facebook? You find that, even now, cases are starting to appear where HR departments are trying to process that kind of activity that’s taken place to excess, and found the counter-claim is: ‘Well, I get emails from the company at 11:00 at night and I answer them, so why can’t I send a message on social media?’
“And of course, one of the other considerations with any kind of regulation or legislation that is focused around reporting and being reported and being publicly named and shamed is that if there are breaches, normally an organisation would have a fairly rigorous process of managing the communications, managing that data and that disclosure. That’s increasingly more complex when you have personal users with social media, and a device that they’re allowed to use in the office at their desk, and perhaps they’re intimating that their organisation has been hacked or that their organisation has leaked some data. And so that whole containment exercise is potentially 100 times more complex.”