With the General Data Protection Regulation (GDPR) taking effect May 25, many organizations are likely to be out of compliance with the European data privacy standards. Research firm Gartner estimates that up to 30 percent of organizations affected by the regulation could face “significant financial exposure” for failure to meet GDPR requirements to protect personal data on mobile devices.
The GDPR modernizes the 1995 Data Protection Directive 95/46/EC, which is currently in effect, to help protect private user data collected by companies with a physical presence in the EU or that do business in the EU. GDPR requirements mandate that organizations explicitly seek consent for data processing, protect personal data, notify users of security breaches and, in some cases, appoint a data protection officer to maintain compliance. Gartner estimates that more than half of companies affected by the regulation won’t be in compliance when it takes effect.
Javvad Malik, security advocate at cybersecurity firm AlienVault, says breach detection and reporting is one area that’s commonly overlooked in GDPR preparations. And now is the time to develop plans for a specific response to a breach, he recommends. For organizations without in-house resources to tackle GDPR compliance, he suggests engaging consultants or legal representation.
“GDPR is clear about having rapid response capabilities,” Malik says, “and the need to report breaches to regulators, and where applicable to affected individuals. This should involve clear and timely communication that specifies what happened, how it happened, what steps the company is taking, and what advice it can give affected individuals. All companies should have a documented and practiced plan so that in the event of an incident, the appropriate response can be taken with minimal delay.”
According to a Gartner report on GDPR requirements and mobility in the enterprise, fines can be steep: “Loss of a managed mobile device containing personal data constitutes a breach with fines up to €20 million, or 4% of total yearly worldwide turnover (whichever is higher), thus making I&O leaders responsible for implementing security measures such as encryption and remote wipe.”
Gartner’s mobile-specific recommendations for meeting GDPR requirements include ensuring enterprise mobility management (EMM) tools are enforcing passcode authentication and encryption, and explicitly asking users permission to enroll in device management (and avoiding using prefilled checkboxes when asking the users’ permission).
One of the main concerns regarding mobile devices and GDPR is the mix of personal and corporate data on phones owned by employees but used for business. Gartner recommends setting up role-based access to avoid accessing personal information on devices, using MDM.
The Gartner report also suggests that organizations avoid the collection of any mobile data that’s not absolutely necessary and ensure that the data that is collected is encrypted. Companies should also use “pseudonymizing techniques such as tokenization and masking/obfuscation,” notes Gartner.
GDPR broadens the definition of personally identifiable information (PII) beyond name, phone number, Social Security number, address and credit card information to include any information that can uniquely identify a person, including email address, IP address and Media Access Control (MAC) address, according to Gartner.
“In order to identify vulnerabilities, companies should perform a data inventory to understand which systems all personal data is held on and how it is processed,” Malik says. ”Once the data inventory is complete, vulnerabilities need to be identified in the applications and infrastructure, and recorded in a risk register so that any high risks can be addressed.