The deadline for compliance with the General Data Protection Regulation (GDPR) — a set of rules created by the European Parliament, European Council, and European Commission to strengthen data protection for individuals within the European Union (EU) — is rapidly approaching.
Regardless of where they are based, any organizations that handle data for customers in Europe or that have European employees need to be preparing for GDPR, and that includes ensuring that mobile devices and applications are in compliance. The regulation, which goes into effect on May 25, 2018, is designed to bolster data protection and rights to privacy for individuals within the EU, and also addresses the export of personal data outside the EU.
Because so much data is stored or shared via mobile devices, and because these devices and their data are particularly vulnerable to theft and breaches, enterprise mobility management (EMM) platforms should be a key component of any GDPR compliance efforts. “EMM is the most comprehensive mobility solution for GDPR compliance,” says Angela Salmeron, research manager, EMEA Enterprise Mobility at market intelligence firm IDC.
How can organizations know if their EMM systems meet GDPR requirements? Here are some key questions to ask vendors, according to industry experts.
1. How open is the EMM platform?
No one EMM vendor can offer all of the mobile security capabilities needed for full GDPR compliance, Salmeron says. Because of this, they need to form partnerships with other vendors that provide such capabilities.
Organizations and IT departments should check with their EMM vendors about how open their platform is to adopt features from other providers, Salmeron says. “EMM solutions must offer deep integration with other security software tools and platforms and become extensible via plug-ins, application programming interfaces [APIs], and other mechanisms,” she says.
2. What options are available on the platform to separate personal and business data on devices?
How the EMM product establishes that boundary line is important for maintaining data minimization, “meaning you aren't getting access to or using personal data unless you have a legitimate reason to do so,” says Andrew Hewitt, an analyst covering mobility infrastructure and operations issues for Forrester Research.
“EMM providers can use certain technologies like containerization or app wrapping to create that separation, [to] make sure your IT team is not in violation of GDPR data minimization principles,” Hewitt says.
The separation of environments is especially important in bring-your-own-device (BYOD) scenarios. “Consider the support for ‘selective wipe,’ so only corporate data is wiped [if necessary] but private personal data is not accidentally wiped,” says Bart Willemsen, research director at Gartner.
3. Can end users see what data is being collected via the EMM’s self-service capabilities?
This is important because if there is no insight into what data is being collected, users and administrators can’t make proper choices about which data needs to be protected, Willemsen says.
Related questions are whether the EMM tool can notify users about any changes in an app’s permissions, since permissions translate to data that can be gathered; whether the EMM product can modify the terms of use every time an app asks for a new permission; and whether the EMM tool supports privacy settings to reduce the scope of data collected.
4. What sort of access controls does the platform have?
Controlling access to personal data through technology such as identity management tools is required within the GDPR rules, but some EMM vendors do not include this in their mobility suites, Salmeron says.
Organizations need to check this out with their EMM suppliers, she says. And if identity management is absent, they need to find out what partnerships are in place with relevant identity vendors.
5. What ‘privacy by design’ measures are incorporated into the platform?
Privacy by design and protection by default are known disciplines, but are now mandatory under GDPR, Willemsen says. “Application of security controls should fit the privacy risk introduced by any processing activity,” he says. Personally identifiable data can then be masked or encrypted where possible.
Another consideration is how IT teams can customize the privacy messages associated with mobile device management (MDM) enrollment. “This is important for data minimization purposes,” Hewitt says. “Employees need crystal-clear guidelines on what IT can and cannot see through the use of an MDM profile.”
6. Does the platform provide audit trails in the event of a data breach?
One of the requirements of the GDPR rules is that a data protection officer (DPO) within the organization must be notified of data breaches that might pose a risk to individuals within 72 hours. In addition, the regulations have internal record-keeping requirements.
EMM platforms should be capable of providing audit trails supporting a forensic investigation in the event of a breach. “The IT team needs to provide an audit trail as part of the accountability aspects of GDPR,” Hewitt says. “EMM can help identify compromised devices or apps and should provide a clear trail of what the IT [or security teams] did to remediate the breach. This can get tough with so many operating systems and apps out there, so it's important to have broad visibility into all the attack vectors.”
7. What granular controls are available to control the personal data processed?
Underlying controls are needed to ensure that data is only processed, used, and accessible where it is authorized, serving a specific purpose; and controlled throughout the lifecycle, meaning there should be a deliberate end to that lifecycle as well, Willemsen says.
“Granular authorization, access, and most importantly retention controls are needed to keep data no longer than is required,” Willemsen says. Similar questions for the vendor might be about enrollment or unenrollment of the device, or about role-based access controls, for the same reason.
“In the end, what’s important to note is that no organization can observe their EMM vendor and demand they make the [platform] GDPR compliant,” Willemsen says. “An EMM platform or tool vendor should make the personal data governing controls as adjustable and configurable as possible, placing that granular control in the hands of the data controller.”
Regardless of the vendor they use, organizations must be careful to ensure appropriate procedural measures, issue a privacy policy accompanying the EMM deployment, and document the legal grounds and purposes for processing data, Willemsen says.