The digitisation and networking of our communication channels bring benefits and offer attractive new areas of attack. The EU GDPR, which entered into force this year, takes this into account by requiring companies to deal with personal data (of EU citizens) – according to Article 5 (“Principles for the processing of personal data”), for example:
- legality, processing in good faith, transparency,
- data minimisation,
- storage limits,
- Integrity and confidentiality.
In accordance with Article 5 (2), the controller is responsible for compliance with the above principles and must be able to demonstrate compliance with them (“accountability”).
IT departments are facing new challenges. Under Article 32 (“Processing Security”), undertakings must demonstrate compliance with state-of-the-art organisational and technical security requirements for mobile devices, including:
- Pseudonymisation and encryption of personal data;
- Ability to ensure the confidentiality, integrity, availability and resilience of systems and services related to processing on an ongoing basis;
- Ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident;
- Procedures for the regular review, evaluation and evaluation of the effectiveness of measures to ensure the security of processing.
Laptops, smartphones or tablets must therefore be encrypted from now on, and backups must be created. Additional gateways must be secured, e. g. by giving permissions to apps installed on the device. Only correctly certified apps may be installed, and, in case of doubt, all company data must be remotely deleted. Private data and apps must be separated from corporate data, for example, by means of container solutions. This is the only way to completely and verifiably prevent unauthorised data access and unauthorised disclosure. At the same time, the containers can ensure the encryption of company data and communication between the mobile device and the IT department.
All risks and safeguards must also be assessed and documented in accordance with Article 35 (“Privacy Impact Assessment”), and Article 32 (1) (d) also requires “procedures for the periodic review, assessment and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing.” Without a mobile device management system, these requirements can hardly be met.
Mobile devices: flexible use despite strict specifications
A suitable MDM system provides a detailed overview of devices with access to enterprise resources at a glance. Devices and applications can be centrally managed and inventoried. Software distribution, including the rollout of updates and licenses, should also be centrally controlled – including powerful malware protection, remote control features and automatic actions in the event of security breaches.
Mobile solutions will continue to play a significant role in our private and professional lives. Therefore, investing in a future-proof solution is advisable: Professional concepts, simple handling and reliable methods are worthwhile. Not least because of the severe penalties for non-compliance: those who neglect their data protection obligations face fines of up to EUR 20 million or four per cent of the annual worldwide turnover (Article 83 (5) “General Conditions for the Imposition of Fines“).