Back in 2018, UK businesses rushed to meet the urgent deadline of 25th May; the date the General Data Protection Regulation or GDPR came into force. The EU’s revised all-encompassing data privacy legislation is considered one of the strictest in the world, giving far more control of personal data to the individual it belongs to. But since undertaking the initial compliance checks, have businesses revisited the directive?
That was only 4 years ago, but it’s fair to say that the world has changed drastically since then – our digitalisation and new working practices have completely reshaped the way our businesses operate and of course, the UK officially left the EU. Despite the latter, the updated EU and UK GDPR still applies and must remain a top priority.
Businesses that fail to comply can be fined up to £17.5 million or 4% of their annual global turnover – whichever is higher.
Are companies falling short of their legal GDPR obligations?
Even though they now form a critical component of an organisation’s IT infrastructure, many companies simply overlook the level of company data contained on both business and employee-owned mobile devices.
According to research gathered by the U.S job search platform, Zippia, 80% of companies believe smartphones are necessary for their employees to do their jobs with surveyed employees using an average of 2.5 devices for work.
Whilst they bring the extensive business benefits of higher productivity, increased collaboration and created an always contactable culture, mobile assets could create a concerning blind spot when it comes to your data visibility. After all, smartphones, tablets or e-readers could hold as much data as many laptops and PCs.
Without their inclusion in your overall data protection policy, is surprisingly easy to fall short of the rules. Therefore, all corporations must have a full understanding of data privacy regulations when it comes to mobile devices.
What are the risks associated with mobile devices?
Bring Your Own Devices.
Any company data, stored on any device remains the legal responsibility of the business – whether it belongs to the company or not.
Hybrid working practices are here to stay, but remote working has blurred the lines between work and home; keeping track of exactly what information is held where is increasingly difficult, particularly when this includes Bring Your Own Devices (BYOD).
Initially soaring due to necessity and convenience, 75% of employees* now use their personal smartphones or tablets for work purposes. However, despite many having a BYOD policy, companies that allow the use of personal devices appear more vulnerable to attack.^. A surprising number of people still do not prioritise OS updates and even fewer have these automatically enabled.
Whilst most wouldn’t object to device or app passwords required, understandably, employees may have substantial privacy reservations about their employer having control of their personal assets, which is required by GDPR. Zippia reports that over 17% of employees use their personal mobile devices for work without telling IT. *
By their very portability, our data-rich smartphones, tablets and their SD card storage are easily lost or stolen but they have become so integral to our everyday lives that we have a relaxed attitude towards them; we think nothing about hopping on a public Wi-Fi network, sharing information on the WhatsApp work group or downloading an app.
That meeting in the coffee shop may seem innocent enough but if connecting to a public Wi-Fi network without using a VPN, employees could fall victim to a man-in-the-middle (MITM) attack – the hacker eavesdropping or even posing as one party within a conversation.
Mobile device applications.
87% of organisations rely on their employees using their personal mobile devices
to access corporate apps.
The GDPR also applies to any corporate-developed apps that have been deployed to and accessed by mobile technology; therefore, your CRM, sales order processing system, marketing automation or customer service helpdesk could also instigate a data governance issue.
Applications infected with mobile malware are commonly found within third-party app stores, and it’s become a bad habit to simply accept all the permissions requested, such as access to your contacts – a simple address book can facilitate a successful phishing attack. Besides this, even if your employees only use legitimate app stores, this is still unlikely to meet the requirements of GDPR if the offending app was downloaded to an unpartitioned personal asset.
How can you prevent mobile device security threats?
Data Protection Policy.
Only half of employees say that their company has specific security policies for mobile devices used for work. * The strict access and use of corporate data on these assets must be comprehensively covered within your GDPR-compliant data protection policy, the elements of which must be monitored to ensure they are actioned. Importantly, staff must be not only informed but continually educated about their obligations and the potential consequences for the business.
A Data Protection Officer will oversee data protection policy and practices, adhere to the data privacy rules and act as a supervisory point of contact. A DPO is recommended under the Regulation but organisations must assess whether they need one for themselves. The ICO has a quick and easy three-question online tool to help you if you are unsure.
Mobile Device Management.
Corporations must track exactly how personal identifiable information is collated, used, and stored; they must also have 360-degree visibility, full monitoring and management control of any mobile technology used for business. Yet only 32% of companies require employees to register their personal devices with IT and have security software installed. *
Mobile device management software (MDM) can meet these requirements by providing the visibility required and also helps IT teams respond to the data governance challenges of remote teams. It enables administrators to remotely deploy OS updates or security patches, enforce password policies and blacklist apps or device functionality. It can even remotely lock or erase data. Whilst this isn’t as secure as professional data erasure through an ITAD partner, it is a handy function in the case of a lost/stolen handset.
The legislation requires the complete separation of business and personal usage, which is easily confused if this is on the same handset – human error may result in an employee breaking regulations by accidentally syncing corporate data to their personal cloud, for example. Through MDM, teams can apply a toggle between work and personal screens, isolating apps and files.
Complete data erasure.
IT asset disposal data security is included within the GDPR destruction of data guidelines; so, it’s imperative to treat these data-bearing mobile devices in the same way you would handle any other piece of redundant IT equipment.
To remain fully compliant with data protection legislation, you must ensure that secure data destruction is undertaken. IT asset disposal companies will provide the same data-wiping services for your smartphones and tablets as they would for all end-of-life IT assets.
One of the common ITAD mistakes and greatest ITAD myths is that a full factory reset will wipe a mobile device of all data. Unfortunately, businesses that are trying to do the right thing and contribute to the circular economy through recycling buy-back schemes, can be caught out by data security issues further down the line as liability rests with you.
IT asset disposition services use of industry-leading Blancco software is the only way to guarantee full data erasure, whether the smartphone or tablet is to be cleansed and redeployed or mobile device recycling is required for redundant IT assets.
If you already outsource ITAD, you’ll know that your ITAD supplier will ensure each device has its own IT asset disposal accreditation certificate; this ITAD chain of custody demonstrates your legal compliance.
As our organisations continue to evolve digitally, gaining full visibility across our entire mobile threat landscape appears increasingly difficult. But the specific data governance challenges they present must be prioritised if companies are to ensure they remain compliant with EU and UK GDPR. Wherever there is data there is a risk of a breach, whether company data is accessed and stored on a business or personal BYOD – the onus is on your business to protect company data.
A combined approach will help you minimise the risk of both a breach and a fine. Create strict data protection and BYOD policies; you may look to recruit a DPO to help you enforce them. Mobile device management software can help when it comes to administration and mandatory updates. Our mobile technology has a short lifecycle, as data can remain hidden, even after a factory reset – data destruction services and mobile device recycling will ensure that your business data cannot be recovered.
* Zippia, ^ ViaScreens, +Perillon,
As any DPO will tell you, one of the biggest challenges in data governance is ensuring that you have fully understood and accounted for every article within the extensive and strict GDPR.
The importance of data destruction of mobile devices should not be overlooked within our digitalised organisations. Tier1 provides comprehensive environmentally friendly ITAD and mobile device recycling using the industry-leading Blancco data erasure software.
We are proud to know GDPR data destruction requirements and WEEE legislation like the back of our hands, so when it comes to ensuring your legal compliance, we can guarantee both reliability and complete peace of mind.
Find out more about secure IT asset disposal – Contact us on 0161 777 1000 (Manchester), 01621 484380 (Maldon) or visit www.tier1.com/contactus
IT Governance, Zippia, Computer World, Tech Target, LinkedIn, ViaScreens, Mighty Gadget, Samsung, Everphone, Miradore, Information Commissioners Office, Help Net Security, Perillon, Ponemon Keeper Security,