For any business or organization operating in Europe, May 25 2018 is an increasingly urgent deadline. The GDPR, while a huge win for consumer rights and privacy protection overall, requires action for anyone who collects and stores personal information, such as names, e-mail addresses and phone numbers. If that sounds like almost all businesses these days, it’s because that’s precisely the case.
In a previous writeup, we had a look at some of the implications of the GDPR for businesses. We’ve also looked at the implications HIPAA has for healthcare related data in the US. It’s worth looking into these issues, and when you’re ready, we want to help you figure out how Enterprise Mobility Management (EMM) from Miradore can help you comply.
The GDPR in a nutshell
- Passed in 2016, EU’s General Data Protection Regulation will come into full effect in May 2018
- 510+ million EU residents will be covered by the regulation, forcing all businesses with EU operations to comply with tight rules on how to store personal data on customers
- For individuals, the GDPR brings multiple protections:
- Depending on the severity of the breach, businesses must disclose data breaches to authorities and/or the consumers within a couple of days of discovery.
- In particularly serious cases, consumers must be notified of breaches as well.
- Individuals have a right to know what information on them is being stored.
- Individuals have a right to have all this information erased at request, except when legitimate legal requirements for archival are in place.
- These requirements are likely to require changes in IT architectures and databases.
- Businesses who fail to comply can be fined up to EUR 20 million, or 4% of their annual global turnover.
Those are the basics. Now let’s have a look at how EMM can be of help in achieving real-world, everyday compliance.
1. Lock screens and passcodes stop threats of all sizes
Virtually all mobile phones now feature lock screens with PINs or pattern locks. This level of authentication alone can stop the most opportunistic types of unauthorized access. It’s also a central part of making phones unavailable against more advanced attacks.
With Miradore’s EMM, it’s easy to enforce passcode policies on mobile devices. Our user-friendly dashboard makes it easy to follow up on policy compliance. This proves especially useful under the GDPR’s requirements for “privacy by design” and “privacy by default”.
Under these requirements, companies need to prove that they’re in control of user data and that they’ve taken steps to protect it. It’s important to be able to implement group updates, restrict apps and networks, and enforce security measures.
2. Unencrypted data on the move is a liability
Encryption is often available with the push of a button, to keep data inaccessible to anyone who fails to enter the right key or password. We can divide data encryption into two main categories: that of data at rest and data in motion. Data at rest is data stored on, for example, phone memory, and it’s easier than ever to benefit from this.
Apple’s iOS devices are designed with encryption in mind, and late-model Android flagships are catching up. Miradore confirms your fleet’s encryption status through a single pane of glass.
As a side note, it’s worth remembering that encryption of flash memory is even more crucial than old-time spinning hard drives. The way the firmware on flash disks shift around data internally, for wear leveling, can cause unwanted data retention in areas that are no longer accessible to the disk interface. Such data could be accessed by advanced adversaries. To be sure to avoid this, encrypt all computers and phones immediately out of the box.
3. Unnecessary data should be destroyed
Under the GDPR, it’s important to limit the time during which data is stored on devices. It becomes crucial to properly empty and reset devices when they’re decommissioned or reassigned, to avoid leaving debris of data on old devices.
Whether you’re dealing with a lost device or just one in need of a reset, Miradore is at your service with comprehensive wiping capabilities, which can be used remotely if needed.
4. Take control of data and apps on business devices
People love instant access to whatever apps they’re used to for sharing data and communicating. However, sometimes reasonable consumer choices aren’t suitable for the workplace. As needed, Miradore’s EMM allows you to white- or blacklist apps according to the needs of your corporate network. We can also help you disable device features such as the camera or Wi-Fi.
For a more granular approach to prevent data leakage on Android devices, we offer full support for the Android Enterprise Work Profile, an option for separating work and personal app environments on phones. This functionality offers an instant jump between user profiles for work and personal stuff, with the work data protected by a separate passcode.
5. Know where you stand with software updates
Software is like the precious humans writing it: complex and imperfect. That’s why IT largely rotates around making sure software updates, patches for security and reliability problems get installed on target devices.
Reaching a sensible patch level requires information, and Miradore’s EMM provides just that. This is a sanity saver when the number of devices starts reaching double digits in a small organization. From Miradore Online, you’ll see your OS versions with a single glance. Having this visibility is crucial, since mobile platforms don’t yet allow for remote management of operating system updates.
To make sure your data doesn’t leak or is locked up per the whims of malware businesses, anti-malware and similar tools may also make sense where applicable. With Apple VPP and Managed Google Play support, we make the delivery of these easy.
6. Stay informed about what software your device fleet is running
For companies with the role of data controller, a concept we explained in our previous article, it’s required by the GDPR to actively prove what’s done to protect personal data and improve data security. Reporting and logging capabilities are going to be valuable tools.
Whether you choose to be very open to user choice or very restrictive with apps, it’s a good idea to follow up. Compliance with the GDPR puts our extensive Report Builder in Miradore’s EMM to good use. This tool delivers easily readable reports on a number of things, including apps and their versions.
You may not always want to go as far as only allowing whitelisted apps in the modern workplace. But when needed, sound reporting capabilities can help you find apps installed from outside the Google Play Store, or disk space and bandwidth hogs.
7. Address the risk of theft
Many of the things we’ve discussed above add up when assessing a security threat model to fit within regulations. Yet there’s one factor so obvious it’s easily overlooked: the form factor and mobility of modern devices, which impact their physical security.
Powerful mobile devices with access to full corporate resources are carried around in pockets, bags and purses to an extent that was hard to imagine around a decade ago when the laptop was the mobile device of choice.
Laptops are often carried around in designated bags, which certainly are exposed compared to desktops and servers locked away at corporate premises. However, unlike phones, laptops are usually not around when the end user goes bar hopping.
It’s hard to be more direct as to why mobility management matters as an augmentation of the very limited physical security of your mobile hardware assets. Mobile devices will eventually get stolen and lost. The question is whether your organization has tools to lock or wipe devices that have left your control. Additionally, encryption is paramount. When encrypted, a lost device is simply a lost device, but otherwise becomes a data loss liability.
8. Deploy and enforce settings remotely
In countries where data caps on mobile plans are a thing, users are thirsty for free Wi-Fi. And even on semi-trusted networks, there might be a need to access company-only services. With Miradore Mobility Management, things like Wi-Fi passwords and VPN profiles are easy to distribute widely, without physically touching the phones.
Several of our customer success stories cite our easy remote onboarding as a win and time saver in their IT workflows. By taking network settings in your own hands, good network hygiene and segmentation becomes attainable for IT.
This document is not a complete guide to reaching compliance with GDPR. In fact, it’s unlikely anyone could give binding, yet quick advice on achieving compliance. Please seek legal counsel and specific technical expertise to learn the best ways to comply in your case.