There has been a lot of discussion, events and articles on the new EU General Data Protection Regulation (GDPR) in recent months so I’m not going to look at the massive breadth of activities required to become GDPR compliant. My focus is on Enterprise Mobility (EM) and I would like to explore some of the specific impacts GDPR is likely to have on organisations’ EM programs, technologies and processes.
The key premise of the GDPR, as voiced by data privacy expert Sheila Fitzpatrick at a recent Irish Information Security Forum (IISF) event, is that the GDPR is not an IT problem, it’s a legal and compliance issue. IT and IT security will play a big role in helping to comply but if it just sits with IT then organisations are making a mistake.
How will GDPR affect EM?
The elements of the GDPR that will have the most impact on EM in my opinion are as follows:
• privacy by design
• explicit consent
• subject access rights, and
• data breach notification.
Privacy by Design is enshrined in Article 25 of the GDPR and talks about ensuring privacy as part of all service design. This will impact EM as organisations will need to understand what data is on a corporate mobile device by conducting a data flow mapping exercise to identify exactly what data is residing on, transmitted to, or collected and transmitted from mobile devices. This could include employee devices (BYOD), corporate owned devices, third party partners or customers (via apps). It is impossible to manage and protect what you don’t understand, so this is a critical first step in understanding what privacy risks may exist in services and processes.
Mobile devices harvest a lot of contextual information – location, and this data can be inadvertently collected if applications and management tools are not well designed. For service providers who process data on behalf of larger organisations I would expect they will soon be required to provide privacy designs as part of any contract.
Data breach notification must be made to the relevant supervisory authority (Irish DPC) within 72 hours of the data controller becoming aware of the breach. Significantly, data processors must notify the relevant data controller without any undue delay. This means organisations need data breach notification protocols regardless if they are processors or controllers.
Mobile devices are high risk. They are portable, easy to steal, have large storage capabilities, and are increasingly used as part of data processing services. Even email is a huge risk if it is common to email attachments containing personal data. As per privacy by design, it is imperative that organisations understand what data is held or processed on mobile devices. At an absolute bare minimum, data on devices should be encrypted as this could be enough to avoid having to do a full breach notification.
Organisations should ensure that they have support processes in place to enable employees to notify as early as possible that a device has been lost/stolen and identify if there is a risk of a data breach. This can be difficult with the 24/7 global roaming nature of mobile users.
The GDPR is a massive improvement in data privacy Legislation for EU citizens, however becoming compliant will require a lot of hard work for organisations. The 25th May 2018 may seem far off now, but it will roll around very quickly. If your organisation has not begun a GDPR compliance project yet, you had better get started!