The General Data Protection Regulation (GDPR) took effect in the European Union in May. Since then, you’ve likely been assailed by a barrage of GDPR requirements advice, white papers and, of course, commercial offerings.
Even if your business isn’t headquartered in the EU, GDPR affects you if you control data on EU citizens (“data subjects”), or if you process data of EU citizens. The scope is very broad, and a significant number of non-EU companies are affected.
The intersection of GDPR — which is designed to protect people’s rights regarding their own personal data — and personal devices like smartphones is important for a couple of reasons. One is that the smartphone is a treasure trove of personal information for the owner, so protecting that information is critical. On the other hand, smartphones are also relevant to GDPR because they are gateways to customer data, and GDPR requirements set fairly strict rules about how personal information and customer data has to be treated and protected.
As an IT manager, smartphones are pretty far down on your GDPR compliance checklist — but that doesn’t mean you can ignore them completely. In every case, though, the key to checking them off the “to-do” list comes down to good mobile device management (MDM) tools and policies.
My Phone, My Data
When it comes to personal data on a user’s own phone (even when owned or controlled by the company), GDPR doesn’t put much responsibility on you. Essentially, GDPR only swings into action if you start backing up that information. Under GDPR’s rules, you have to give people control over what data you store, and you have to be careful to protect that data.
There are two main approaches to staying GDPR compliant when it comes to personal data on a user’s phone. One is to avoid backing up personal data at all. In that case, you don’t have it, so you don’t have to worry about it. If you’re using a “work/home” profile to segment the smartphone, you can back up the “work” side, leave the “home” side alone, effectively sidestep GDPR liability — although you should remind users that they ought to back up their own data.
If you think that a full backup is part of your job, then there are three tasks to get everything in GDPR alignment. First, you have to get consent to store someone else’s personal data. If people sign a BYOD/CYOD policy as part of getting their phone, make sure that it includes a clause giving consent to the company to back up the data.
Second, you have to give people an option to withdraw consent. This one is up to you: you could say that if you can’t back up the phone, it can’t be connected. Or, you could allow someone to have a phone under your BYOD/CYOD policy, but not take responsibility for backing it up.
The third task is to set in place some policies to be sure that those backups remain private and don’t get shifted around from country to country (something else GDPR discourages, especially between the EU and non-EU countries). GDPR requires that you inform someone if their data is breached, so the best thing to do is avoid losing your backups. For most IT managers, that’s no surprise, since they’ve been protecting server backups since the beginning. This should just be a reminder to protect users’ personal phone backups with the same rigor that you protect server backups — and a breach of either type of backup would likely activate a variety of GDPR notification procedures.
My Phone … Customer Data
The other area where MDM would come into contact with GDPR is when smartphones have access to customer data. The biggest deal is a data breach: if data are lost and someone else gains access to them and the breach is “likely to result in a high risk to the rights and freedoms of natural persons,” then you have to notify everyone about what happened. GDPR has lengthy requirements for this, depending on how much data were lost and how sensitive the data are.
GDPR does provide a few advantageous loopholes here, though. If you’re encrypting the data, for example, you don’t have to worry. Or, if a phone is lost or stolen, but you revoke credentials so that the phone can’t be used to retrieve data, no notification is required. This is where the MDM side of things comes into play: you can use your MDM to deploy policies ensuring phones are locked with long passwords when not in use, encryption is turned on for all disks, and lost smartphones and tablets wipe themselves if someone tries to break in.
GDPR requires significant changes in how companies process, store and transfer personal data. With a few small tweaks, IT managers can ensure that mobile devices don’t pose a problem with GDPR compliance.
Download this free guide to learn more about how to protect both personal and corporate smartphone data.