GDPR coming into force in
There has been a lot of discussion, events, articles etc. on the new EU General Data Protection Regulation (GDPR) in recent weeks. It was the primary topic for discussion at the excellent DPO conference in the Aviva last week ( https://www.dpo.ie/conference #dpconf17 ) and I have seen dozens of mentions of it in my twitter feed and inbox.
From discussions I’ve had with clients and peers there seems to be a wide disparity of activity going on around GDPR. Some organisations are well on their way to compliance with dedicated project teams across IT, business/operational depts., and legal. Others seem to have little or no real understanding of what the practical impact of GDPR is and what they should be doing to address it. And of course we have plenty of organisations in the middle with some GDPR activity going on but not at an enterprise wide level.
This article is not going to look at the massive breadth of activities required to become GDPR compliant. My focus is on Enterprise Mobility (EM) and what I would like to do is explore the specific impacts GDPR is likely to have on organisations EM programs, technologies, and processes. What follows is a high level summary of the areas I would look at in a GDPR EM Gap Analysis which is something we are offering to clients interested in getting at least this element of their organisation compliant.
So what is the GDPR?
As mentioned there are lots of good articles and advice out there on the GDPR. The Data Protection Commissioners Office has a good infographic and guidance note here https://goo.gl/C16gh0 as does the UK equivalent (ICO) here https://goo.gl/qtqYoM and if you want to read the regulation in full you can get it here http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
The key premise is that there will be a single minimum set of Data protection regulations across all EU states, and that all EU citizen’s data falls under GDPR regardless of where the Data controller holds it, which will be interesting for large US firms with EU customers/employees for example.
How will GDPR affect EM?
The elements of the GDPR that will have the most impact on EM in my opinion are as follows and I’ll dig into each in more detail further on.
- Privacy by Design
- Explicit Consent
- Subject Access Rights
- Data Breach Notification
Privacy by Design
“the GDPR enshrines both the principle of ‘privacy by design’ and the principle of ‘privacy by default’ in law. This means that service settings must be automatically privacy friendly, and requires that the development of services and products takes account of privacy considerations from the outset” The GDPR and you, Preparing for 2018. Irish Data protection Commissioner guidance note.
Privacy by Design is enshrined in Article 25 of the GDPR and talks about ensuring Privacy is part of all service design. This will impact EM in two significant ways I believe:
- Understanding what data is on a Mobile device. Organisations will need to conduct a data flow mapping exercise to understand exactly what data is residing on, transmitted to, or collected and transmitted from mobile devices. This could include employee devices (BYOD), corporate owned devices, 3rd party partners or customers (via apps). It is impossible to manage and protect what you don’t know so this is a critical first step in understanding what privacy risks may exist in services and processes.
Mobile devices by their nature harvest a lot of contextual information such as location and this data can be inadvertently collected if applications and management tools are not well designed.
For service providers who process data on the behalf of larger organisations I would expect you will soon be required to provide Privacy designs as part of any contract.
- The second Privacy by design impact is for employee managed devices (whether BYOD or Corporate owned COPE/COBO). EMM solutions can collect sensitive personal information on employees such as application inventory, location services, and even browser history in some cases. Organisations will need to ensure their policies explicitly define (implicit opt out option no longer allowed, see next section) what data is going to be collected, how it will be processed, and how long it will be stored for.
It also looks like policies will have to include procedures for handling subject access requests and right to be forgotten although not clear yet how these will apply in an employee/employer context.
A key concept in the GDPR is the requirement for data controllers to obtain explicit consent from data subjects for collecting and processing their personal data. Obviously this has major impacts on marketing initiatives, surveys and similar activities which may impact on mobile in the following way:
Mobile devices are now often used as data collection tools. As per the earlier section on privacy by design if devices are used for this purpose the gaining of consent needs to be part of the solution. Note the GDPR repeatedly states that any such consent request must be presented in “clear and plain language”.
The other area where consent could come into play is handling employee personal data collected on corporate managed devices. EM policies such as acceptable usage or similar will need to include clear and plain language describing what data is being collected, why it is being collected, how it will be processed, how it will be protected, and request explicit consent for all of the above. It is not clear whether organisations would also have to communicate the processes for subject access requests and right to be forgotten (for example when leaving employment) however, I would not be surprised if these were required. It looks like the full impact of GDPR on employee law will be up to each state to define in more detail so hopefully we will see more clarity in the coming months.
Subject Access Rights
The GDPR enhances the rights of data subjects to access personal data held about them by introducing the following concepts:
- Right to be forgotten. The GDPR states that “a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purpose for which they are collected or otherwise processed”
Impact: Organisations will need to have mechanisms in place to locate all this data, collect it and remove it from all data sources including backups etc. To comply with this, it is imperative that organisations control the flow of personal data on mobile devices to prevent it being stored and shared in a way that is not visible to the organisation or they could be in breach of this requirement. This can be achieved through containerisation and DLP controls for example.
- Right to Data portability. The GDPR states that “where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller”
Impact: This is an interesting idea, the theory as I understand it is you can easily move from one service provider to another without having to go through another data harvesting process which should prevent multiple copies of your data being collected, stored and processed. In practice this will require some sort of standard data format which could be difficult for organisations to do. From an EM point of view this does not have particular impact except for the same reasons as the Right to be forgotten above in that all data must be known and possible to locate.
- Subject access requests. These are now free and its explicitly stated that organisations cannot pass on any costs to the data subject unless they can prove they are excessive or due to excessive multiple requests from the same subject (DOS by SAR!!). What this is likely to mean is expect more of them.
From the GDPR “Modalities should be provided for facilitating the exercise of the data subject’s rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month”
Impact: Again as per the previous data subject rights the main impact is the ability for organisations to collate and provide the data in a timely fashion (one month). The line about providing access via electronic means applies to all 3 of the rights detailed here and makes sense from a data subject point of view any may be something easily done through a mobile app.
As has been stated several times it is not completely clear how the above rights will affect employee data managed by organisations. This looks like it will be up to each member state to legislate for (see article 88 of the GDPR). Organisations will have to show that the processing and storing of employee personal data meets a requirement for a legitimate business interest (for example security). This will not exempt them from processing the personal data in a secure manner and complying with the GDPR though so Explicit consent, Privacy by Design etc. all still apply.
Data Breach Notification
Data breaches must be notified to the relevant supervisory authority (DPC in Ireland) within 72 hours of the Data controller becoming aware of the breach. As stated in the GDPR
“as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”
Definitions of aware are unclear but I would suggest best practice is to notify on any suspicion and then retract if investigation shows no breach occurred. It is important to note Data processors must notify the relevant Data controller without any undue delay which is a new requirement as this was not previously spelled out. This means organisations need Data Breach notification protocols regardless if they are processors or controllers.
If it is believed the breach is likely to result in a high risk to the rights or freedoms of the affected data subject’s, they must also be notified within 72 hours. This communication needs to include clear descriptions of what was lost as well as recommendations for the subject to to mitigate the potential adverse effects. This could be a difficult and expensive process if your organisation loses thousands of data subjects personal data.
Impact: Mobile devices are by their nature high risk devices. They are portable, easy to steal but have potentially very large storage capabilities and are increasingly used as part of many data processing services. Even just email can be a huge risk if it is common to email attachments containing personal data (marketing lists, CRM extracts, etc.). As per the Privacy by design section its imperative organisations understand what data is held or processed on mobile devices. At an absolute bare minimum data on devices should be encrypted as this could be enough to avoid having to do a full breach notification.
Organisations should ensure they have support processes in place to enable employees to notify as early as possible that a device has been lost/stolen and identify if there is a risk of a data breach. This can be difficult with the 24/7 global nature of mobile users.
The GDPR is a massive improvement in Data Privacy legislation for EU Citizens however compliance with it will require a lot of hard work for organisations. May 25 2018 may seem far off now but it will roll around very quickly and if your organisation has not begun a GDPR compliance project you had better get started!
Enterprise Mobile use cases bring a lot of risks and potential compliance issues with GDPR however, at the same time I believe it’s one area of an organisation that can be brought in line relatively quickly. We can definitely help organisations with these projects which may not solve all of your GDPR headaches but can definitely move you closer to that goal. If you would like to discuss get in contact via cwsi.ie or email me directly at firstname.lastname@example.org .
I’m hoping to do a few more articles on specific elements of achieving GDPR compliance for EM so if you would like to hear more let me know. I’m also very interested to hear other people’s perspectives on the impact of GDPR particularly on employee data so please get in touch via email or twitter @conatypaul