In 2018, as the General Data Protection Regulation, or GDPR, was set to take effect, UK businesses scrambled to meet the looming deadline. The updated comprehensive data privacy law of the EU is regarded as one of the strictest in the world and gives the owner of personal information much more control over it. But have businesses reviewed the directive since performing the initial compliance checks?
Although it has just been four years, it is fair to argue that the world has changed significantly since then. Our reliance on technology and new working methods have fundamentally altered how our businesses run, and of course, the UK has formally left the EU. The new EU and UK GDPR is still applicable and must be given high priority despite the latter.
“Businesses that fail to comply can be fined up to £17.5 million or 4% of their annual global turnover – whichever is higher.” – IT Governance.
Are businesses failing to uphold their legal commitments under the GDPR?
Many businesses simply ignore the amount of company data present on both employee- and business-owned mobile devices, even though they now make up a vital part of an organisation’s IT architecture.
Surveyed employees use an average of 2.5 devices for work, according to research conducted by the American job search platform Zippia. 80% of companies believe smartphones are required for employees to perform their tasks.
Mobile assets can create a worrying blind spot when it comes to your data visibility, despite the significant business benefits they bring, such as greater productivity, increased collaboration, and creating an always accessible culture. After all, e-readers, tablets, and smartphones might all store as much data as many desktops and PCs.
It is shockingly simple to break the law without their inclusion in your overall data protection policy. Therefore, when it comes to mobile devices, all organisations need to have a thorough awareness of data privacy legislation.
What dangers come with using mobile devices?
Bring Your Own Devices.
Regardless of whether a piece of company data actually belongs to the business, it is still its legal obligation.
Although remote working has blurred the barriers between work and home, hybrid working methods are here to stay. As a result, it is getting harder to keep track of exactly what information is stored where, especially when BYOD is involved (BYOD).
The use of personal smartphones and tablets for work purposes has increased to 75% of employees*, after first rising owing to necessity and convenience. Companies that permit the use of personal devices, although many do, seem to be more open to assault. Surprisingly few people still give OS upgrades a high priority, and even fewer have them turned on by default.
Although most people wouldn’t mind having to use device or app passwords, it’s understandable that employees could have serious privacy concerns about their employer having access to their personal assets, as mandated by GDPR. According to Zippia, over 17% of workers use personal mobile devices for work without informing IT.*
Our data-rich smartphones, tablets, and SD card storage are easily lost or stolen because of their portability, but because they have become so ingrained in our daily lives, we don’t think twice about connecting to a public Wi-Fi network, sharing information on the WhatsApp work group, or downloading an app.
Employees risk being subjected to a man-in-the-middle (MITM) attack by connecting to a public Wi-Fi network without utilising a VPN. An innocent catch up in the local coffee shop could allow a hacker to listen or even pretend to be one participant during a discussion.
“87% of organisations rely on their employees using their personal mobile devices to access corporate apps.” – Syntonic +
Your CRM, sales order processing system, marketing automation platform, or customer care helpdesk could also cause a data governance issue because the GDPR also applies to any corporate-developed apps that have been deployed to and accessed by mobile technology.
It’s usual to find mobile malware-infected applications in third-party app stores, and it’s become a risky habit to just grant any requests for permissions, such as access to your contacts, as even a basic address book might help a phishing attempt succeed. In addition, if the infringing programme was downloaded on an unpartitioned personal asset, it is difficult to comply with GDPR rules even if your staff only use legal app stores.
How can security concerns on mobile devices be avoided?
Data Protection Policy.
Only 50% of workers claim that their employer has a specific mobile device security policy. Your GDPR-compliant data protection policy must address the rigorous access and use of corporate data on these assets in great detail, and its components must be checked to make sure they are put into practice. It is crucial that employees are constantly taught about their responsibilities and the possible repercussions for the company.
A data protection officer will supervise data protection policies and practices, uphold data privacy laws, and serve as a point of contact for supervisors. The Regulation recommends a DPO, but organisations must determine if they actually require one. If you are unclear, the ICO provides a short and simple three-question online tool that can assist you.
Mobile Device Management.
Companies must keep precise records of the collection, usage, and storage of personally identifiable information. They must also have 360-degree visibility, complete control, and management oversight over any mobile technology used for business. However, only 32% of businesses mandate that employees register their personal devices with IT and install security software.*
The visibility needed can be provided by mobile device management software (MDM), which also enables IT teams to address the data governance issues faced by distant teams. Administrators can use it to enforce password policies, remotely deliver OS upgrades or security patches, and ban specific apps or device features. Data can even be remotely locked or deleted. Although this isn’t as safe as expert data erasure through an ITAD partner, it is a useful feature in the event that a handset is lost or stolen.
Human error might lead to an employee infringing the law by unintentionally syncing company data to their personal cloud, for example. The law demands the complete separation of work and personal usage, which is readily confused if this is done on the same phone. Teams can implement a toggle between work and personal screens with MDM, separating programmes and files.
Complete data wipe.
The GDPR requirements for data destruction encompass IT asset disposal data security, therefore it’s critical to handle these data-carrying mobile devices just like any other piece of obsolete IT equipment.
You must make sure that secure data deletion is carried out in order to maintain complete compliance with data protection legislation. Your smartphones and tablets will receive the same data-wiping services from IT asset disposal firms as all other end-of-life IT assets.
The idea that a complete factory reset can erase all data from a mobile device is one of the most frequent ITAD errors and worst ITAD fallacies. Unfortunately, companies who are making an effort to maintain moral standards and support the circular economy through recycling buy-back programmes risk being held responsible for data security vulnerabilities down the road.
The only method to ensure complete data erasure for IT asset disposition services, whether the smartphone or tablet is to be cleaned and repurposed or mobile device recycling is necessary for redundant IT assets, is to employ the market-leading Blancco software.
If you already outsource ITAD, you already know that your ITAD supplier will make sure that each device has a certificate proving that it complies with all applicable laws. This ITAD chain of custody is proof that you are in compliance with the law.
Gaining complete insight across our entire mobile threat ecosystem appears to be getting harder as our organisations continue to develop digitally. But if businesses want to make sure they stay compliant with the EU and UK GDPR, the specific data governance concerns they offer need to be prioritised. No matter if company data is accessed and stored on a personal or business BYOD, there is always a risk of a breach. It is your responsibility as a business to protect company data.
A coordinated strategy will assist you in reducing the likelihood of a violation and a fine. Establish stringent BYOD and data protection policies, and consider hiring a DPO to assist you to enforce them. Software for managing mobile devices might be useful when it comes to administration and required upgrades. Because data can remain concealed even after a factory reset, our mobile technology has a limited lifespan. Data destruction services and mobile device recycling will make sure that your company’s data cannot be recovered.
Ensure that you have thoroughly grasped and taken into consideration every item of the comprehensive and stringent GDPR, as this is one of the largest issues in data governance.
In modern digitised organisations, the significance of mobile device data erasure should not be understated. Utilising market-leading Blancco data erasure software, tier1 offers thorough ecologically responsible ITAD and mobile device disposal.
We take pride in being fully acquainted with WEEE regulations and GDPR data destruction requirements, so when it comes to ensuring your legal compliance, we can promise dependability and total peace of mind.
To learn more about secure IT asset disposal, call us on 0161 777 1000 or email email@example.com.