Why mobile devices may pose a GDPR hazard

Friday, May 25, 2018. That’s the day when the European Union’s General Data Protection Regulation will take effect. At the time of writing, it’s just a few months away.

It’s therefore vital that service providers like you act now (if you haven’t done so already) to support your clients as they prepare for their upcoming obligations and responsibilities.

Of course, keeping more traditional forms of data protected as required isn’t generally a huge problem. However, mobile devices now play such a major part in almost all areas of our work and home lives that they can make handling data much more complicated.

The impact of mobile on GDPR goes beyond mere data protection, too: it can affect how clients deal with their customers, how their employees operate day-to-day, and much more.

In this blog, we’ll cover three key points that you – and perhaps more importantly, your clients – may not have considered when it comes to mobile devices and GDPR. We’ll then look at what you can consider doing to solve these issues.

 

Full network visibility

GDPR is set up in such a way that if a data breach happens on a business’s network, then that business can be held liable for it.

That sounds like basic common sense, of course, but applies even if a business doesn’t know that the breach has happened or if the incident involves a device that they aren’t aware of. In short: not being aware is not an excuse.

This makes it critical for enterprises to ensure that they have control and visibility over their network and the devices connecting to it. Rigorous security policies are a must, and companies need to be able to demonstrate that they know of, and can protect, sensitive data that they have to deal with.

If they need a specific enterprise mobile management (EMM) solution to do that, then now is the time for you to help them get that up and running.

 

Safety of business data on personal devices

As if managing the needs of GDPR for mobile devices wasn’t hard enough, adding employees’ own devices into the mix adds an extra layer of complexity.

There’s an increasing trend across industries towards Bring-Your-Own-Device (BYOD) to work, where employees use their own devices like smartphones or tablets for work purposes. BYOD brings efficiencies for businesses in hardware investment, and gives employees some helpful flexibility. But at the same time, it poses a greater risk to corporate data, and in turn can bring about more serious consequences under GDPR if things go wrong.

For example, a major pain point lies in what could happen when a device falls into the wrong hands. With a corporate-owned device, it’s relatively easy to disable use of the device and safeguard the data. But, as Phil Cracknell, IT Security professional warns, that isn’t always a given in a BYOD set-up:

You need to control devices if they’re lost or stolen. Of course, the problem is with a personally owned device, you may not have the rights to wipe that device and the user’s additional content.”

Without doubt, this is a scenario that must be considered for any enterprise using BYOD and that’s working towards GDPR compliance. The answer can be found in solutions that offer Unified Endpoint Management (UEM). They allow business data to be stored on personal devices in separate ‘containers’ that can be remotely locked in the case of a device’s loss or theft.

 

Awareness of requirements within the workforce

Ensuring that your clients’ IT departments understand the consequences of GDPR is only half the battle. It’s just as important that each client’s workforce knows their individual responsibilities, too.

This is the human side to GDPR: making sure employees understand the policies their company is putting in place, and why they’re being so rigorously enforced.

In a modern business world where the lines between home and work are increasingly blurred, this is especially important. Employees will need to know whether their IT usage policies are going to change, not only inside normal working hours, but outside them, too.

As Phil Cracknell explains, there could be significant legal implications in that area: “Can the user send a tweet? Can they go on Facebook? Even now, cases are starting to appear where HR departments are trying to process that kind of activity that’s taken place to excess, and found the counter-claim is: ‘Well, I get emails from the company at 11:00 at night and I answer them, so why can’t I send a message on social media?”

Of course, many employees won’t be IT experts, and this is where UEM solutions can help take care of the problem. By ensuring that policies are applied to the right (business) data and restrictions are applied to make sure forbidden activity is mitigated, workers won’t have to constantly worry about whether they’re on the right side of the regulation.

As an example, IBM MaaS360 can apply different policies to different types of data, and these policies can be adjusted by IT staff on a per-device basis whenever necessary.

 

The key takeaway

As these three points demonstrate, there really is no time to lose in helping your clients cover every potential issue and ensuring they’re fully ready to comply by May 25, 2018.

There are still plenty of enterprises out there that haven’t fully understood the scope of GDPR’s consequences on their data, their workforce and their business practices. And with speed and efficiency both important considerations at this late stage, providing a UEM solution like IBM MaaS360 to your clients could prove to be the solution they need.

 

Get more insights from Phil Cracknell into the future challenges surrounding enterprise mobile security:

Watch the video

Related content

Video

Perspectives from Phil Cracknell: mobile security and GDPR

Webinar

GDPR: A compliance driven business opportunity for European MSPs and SIs

White Paper

The GDPR: It’s coming – and sooner than you think

Back to top