Making sure you’re GDPR compliant — Part One.
Last year the General Data Protection Regulation came into effect to protect the privacy and data of all EU citizens no matter where they live. So, if you have an EU citizen working for you or you do business with any EU citizens, then it could affect you. And with fines up to $AU30 Million, or 4% of global revenue, you don’t want to get stung.
Who? What? Where?
In short, the GDPR was introduced by the European Parliament to ensure that individuals have control over their private data.
It is an EU law, but seeing as the world is now such a small place thanks to technology, it prettymuch affects everyone and anyone doing business on a scale larger than a farmer’s market. Even then, you’d want to watch out.
What can I do?
Within a mobile-enabled workplace, data collection is everywhere and by everything, and not just your clients’, but your employees’ too. As 5G rolls in, this will only amplify, and the need to ensure this data is used only for the agreed purpose is now more critical than ever. By following these four steps, you can help your business get GDPR compliant.
Be crystal clear on rights and responsibilities.
Whether they bring their own device or you provide them with one, the best way to ensure employee compliance and gain consent is to explain what data will be collected for and reinforce that it is only done so for specific and legitimate business purposes and is not considered transferable.
By providing clear and precise details on what your UEM of choice can and cannot access on their device, you can help alleviate worries.
The GDPR states that personal data is not to be used if the business outcome can be achieved through a less intrusive means, i.e. tracking an employee through a device to verify attendance, as there are other ways of doing this. Tracking could be used to find a missing device, but Gartner does not recommend tracking any personally owned devices.
Just as employees have a right to know that you ensure the safety of their data, they owe you a responsibility to follow best practices from their end too. So that together, you can work towards the goal of minimizing and maintaining privacy risks.
As a result, you can stipulate that users must update their device’s OS versions and use the latest recommended applications. And if required, enforce the installation of a UEM tool and approved applications to share company-owned data. Users also have a responsibility to report all losses and potential breaches to IT, as a data wipe or selective wipe may be required.
An employee’s responsibility extends to their peers and their data too. Accessing this data outside of the requirements for their job or unauthorized access to personal data is also considered a data breach.
Select the right tools for the job.
When selecting a UEM or third-party app, you should use these lists to determine a potential vendor’s capabilities to support GDPR compliance. Also, you will want a written agreement stating you retain ownership of all data collected and stored.
- Inform and seek user’s consent when apps elevate permission requests as this can change the level of access to personal data.
- Support data masking and role-based access in the administration console to restrict access to sensitive data.
- Allow employees to see what data is being collected.
- Allow for easy un-enrolment from personal devices with corporate data able to be remotely wiped.
- Allow all BYOD to have privacy settings to restrict unnecessary access.
Data protection by design
- Separate work data from personal data without MDM enrolment.
- Check device and app compliance in real time before granting access.
- Automatically carry out remediation if a device is non-compliant.
- Encrypt data at a container and device level and enforce passcodes.
- Support selective data wipes to save personal data.
- Ensure apps collect minimal data and do so for a legitimate purpose.
- Confirm that any external parties involved can ensure the same level of privacy.
- Users should be able to revoke consent and have personal data deleted.
- Encrypt all resting data and offer transport layer security for any in transit.
Stay on top of data breaches with device compliance rules.
Separate work and personal data with UEM tools.