Why your GDPR compliance strategy must include mobileDownload Case Study
When considering compliance, enterprises must put mobile devices on even footing with desktops. This is especially true as we race toward May 2018, when the General Data Privacy Regulation (GDPR) takes effect.
GDPR is a set of rules created by the European Parliament, European Council and European Commission that regulate how every company must protect and manage data pertaining to individuals within the European Union (EU). The new regulation will come into effect on May 25, 2018, and it carries stiff penalties for non-compliance.
Any company that does business in the EU, sends employees to the EU, has customers in the EU, engages with partners in the EU, or otherwise handles data associated with individuals who either travel to or are in the EU is subject to GDPR. This means that the personal data on employees' mobile devices is also regulated and must be secured irrespective of the ownership of the device.
How security teams can enable GDPR compliance on mobile
Compliance is by no means limited to traditional IT systems protected behind the firewall, and the growing use of mobile devices and apps in the workplace can put an enterprise's compliance efforts at risk. This can happen through employees' risky behaviors, malicious attacks against the company, and otherwise benign apps that send data to other countries.
Today, 64% of U.S. employees say they access their organization's customer, partner, and employee data while on their mobile device, according to a recent Lookout survey. This means that mobile devices are accessing the types of data protected by GDPR and other regulations. CISOs must account for these endpoints when building compliance strategies. Companies that don't understand how GDPR-regulated data - any information relating to an identified or identifiable person in the EU - is collected, stored, and shared via mobile devices could be subjecting themselves to large fines or reputation damage.
How GDPR requirements apply to mobile
Currently, 72% of security and IT executives who reported they have employees, customers or partners based in the EU believe they will be impacted by GDPR regulations, according to the survey, but only 17% of security and IT executives say they are expanding their compliance strategy to include mobile.
One of the key elements of GDPR is "Privacy by Design," a framework based on proactively embedding privacy into the design and operation of IT systems, network equipment, and business practices. This includes mobile devices - even if the organization embraces BYOD - as employees are actively connecting to the network and using their devices to perform their various business functions and handle GDPR-regulated data associated with the company and its customers, partners, and other employees.
According to GDPR documentation, privacy principle 6 states that "personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures."
A number of mobile risks can directly violate this principle:
- Malicious apps that: leak or infiltrate information, damage devices by embedding so deeply that they cannot be removed from the device even with a factory reset, and provide unauthorized remote access.
- Device threats that heighten attacker permissions to spy on communications occurring on the device, causing catastrophic data loss.
- Mobile apps that access contact records and send data to servers residing outside of the EU.
- Mobile devices that are connected to a network that has been compromised by a man-in-the middle attack, resulting in data being siphoned off the device.
Unintentional data leakage is likely to play a key role. For example, employees may pull information about sales leads onto their mobile devices' notes app or a cloud storage instance. In GDPR, individuals in the EU have the "right to be forgotten." If one of those sales leads requested that the company delete their information, the company would not know about, nor have access to the data in those personal apps and cloud storage instances, and potentially incur a GDPR infringement.
In another scenario, an enterprise chief financial officer may frequently access customer billing information and contract details on his mobile device using a "mash-up" app that combines the a CRM API together with APIs from his subscription billing service. His custom app does not have the same security protections as the official CRM app for storing and transmitting GDPR regulated personal data from the CFO's mobile device. Companies need to know what data is being accessed on mobile devices, who is accessing the data, how this data access is being controlled, and where the data goes. Without this visibility, they risk their compliance.
GDPR-regulated data is on mobile devices
When asked specifically about customer PII data, over half of employees say they have access to their organization's customer data via their mobile device, according to the survey.
Specifically, employees who took the survey reported having access to the following data types via their mobile device:
- Work Calendar
- Corporate Email
- Corporate Contacts
- Enterprise Applications
- Corporate Networks
- Corporate Messaging
- MFA/Stored Credentials
- Administrative Tools
Each one of these carries with it some kind of GDPR-regulated personal data (e.g., contact information, email addresses) or access to systems that may store personal data. How to find and stop GDPR non-compliance on mobile devices Organizations facing GDPR compliance requirements need to explore mobile threat defense solutions, that include protection for mobile app risks, to provide the visibility and policy controls they need to protect GDPR-regulated data. Lookout provides crucial visibility into both threats and risks to data regulated by GDPR through its Mobile Endpoint Security product. Such a solution can help organizations prepare for GDPR by quickly identifying threats and risks to regulated data on mobile; implementing comprehensive policy-based protection to remediate mobile risk; establishing risk-based conditional access policies; and preparing for GDPR's 72-hour breach notification requirements. See where mobile usage puts your regulated personal data is at risk GDPR infringement by taking this two-minute custom assessment of your mobile risk. Check out the Mobile Risk Assessment tool today.