Mobile tech, and especially mobile brought into companies through BYOD, has unique challenges for companies that need to comply with General Data Protection Regulations (GDPR) — and that’s virtually all companies, not just the ones in Europe. The regulations compel companies to manage personal data and protect privacy, and they provide individuals to have a say in what and how data about them is used.
GDPR has several disclosure and control requirements, such as providing notice of any personally identifiable data collection, notifying of any data breaches, obtaining consent of any person for whom data is being collected, recording what and how data is being used, and providing a right for people whose data is being collected to see, modify, and/or delete any information about them from corporate systems.
The problem is many corporate systems now extend into mobile branches that include smartphones and, in some cases, tablets. Analysts at J.Gold Associates, LLC. estimate that in about 35 to 50 percent of cases, these devices are not actually corporate devices, but personal devices being used by employees of the company in their daily work. As a result, these devices, which often contain corporate data from being connected/synced to back office systems, and including data about individuals, are subject to the same regulations and restrictions of GDPR as larger systems (e.g., PCs and servers). (Note: I am the principal analyst at J.Gold Associates.)
GDPR also applies to any corporate-developed apps that have been deployed to mobile devices. Apps such as CRM, sales force automation, marketing and sales, and customer service are all potentially affected by GDPR.
We estimate that 65 to 75 percent of enterprises do not have a full management suite available on mobile devices that can set appropriate policies and monitor data use and data flow, all of which is necessary to comply with GDPR. Moreover, our research shows the vast majority of companies indicate they can’t say with certainty what’s actually on a user’s mobile device. This is a direct challenge to GDPR compliance.
Mobile 'loophole' may make companies non-compliant with GDPR
This mobile “loophole” in GDPR compliance is not often discussed. Yet the ability for employees to store and potentially share individual data about business partners and customers represents a real possibility that companies that thought they were compliant may not be.
This is a new area just starting to be recognized by many enterprises, and I expect that next couple of years we’ll see fairly lax enforcement by the authorities as many kinks are worked out in what/how non-compliance is determined, pursued and penalized. Yet there is still a very real threat that enforcement could become stringent, particularly if it is shown that a data breach or other misuse of data has occurred.
Data breaches of mobile devices can be particularly problematic, as so few enterprises actually know if their mobile devices (or BYOD smartphones) have been breached. Indeed, our research shows that 65 percent of companies either believe their mobile devices have never been hacked or don’t know if they’ve been breached. Given that 50 to 65 percent of users answer yes when asked if they have ever experienced a data breach on their mobile devices, it’s clear there is a major shortcoming in enterprise knowledge and management of mobile security.
What enterprises should do about GDPR compliance and mobile devices
What should enterprises subject to GDPR do about mobile? First and foremost, treat mobile devices as the corporate data repositories that they are. Many employees have corporate data on their devices, whether in apps or in personal data bases.
Next, create a policy around mobile corporate data. This needs to be as comprehensive as, and an extension of, the general GDPR strategy of the company. Finally, once realized, this policy needs to be fully implemented and monitored by the use of capable mobile management tools.
With relatively few companies deploying a full suite of EMM tools that could make this transition possible, it’s likely not many companies currently can become fully mobile compliant without making some significant technology investments. And while specialized "protected" areas like Samsung Knox and Google for Work help to secure data, that may not be enough without the additional EMM management capabilities.
Given the potential penalties imposed (up to 4 percent of corporate revenues per incident), it’s imperative that companies evaluate the threats to compliance posed by the plethora of mobile devices and users and take the necessary steps now to bring them into compliance.