New GDPR Regulations Raise the Stakes for Protecting Enterprise Mobile Apps
Blue Cedar | Jul 6, 2017
Mobility can be considered either a valuable solution that enables a huge step forward for organizations or a massive headache for IT and security teams. Mobility allows enterprises to reduce the cost of sales and service, improve the customer experience, and increase efficiency and productivity. But as organizations globally continue to adopt mobile strategies and apps, security and data privacy are becoming top concerns.
This is especially true in Europe. The European Union recently enacted the General Data Protection Regulation (GDPR), a set of rules designed to protect the privacy of EU citizens while making privacy laws consistent across Europe. With enforcement set to begin in May 2018, GDPR highlights the need for protecting data beyond the protections offered by device security.
So what will GDPR enforcement mean to enterprises—including those based outside of Europe—that work with EU citizens’ personal data? Enforcement is always a potential headache, and for organizations that rely on mobility to run their business, that headache can be a migraine.
“Personal data” as defined by GDPR can be anything—a name, photo, email address, bank details, posts on social media, medical information, or a computer’s IP address. A countless number of organizations handle personal data, ranging from banks, hospitals, and transportation entities to local merchants who might collect customers’ email addresses to alert them to an upcoming sale. The GDPR defines these organizations as “data controllers.” The regulation also applies to “data processors”—organizations that process personal or consumer data on behalf of a data controller. These organizations can be anything from a payroll processor to a mail-order house, and they include cloud services.
With enforcement of GDPR, data controllers and processors face stiff penalties if personal data is lost or compromised. Organizations can be fined up to 4 percent of annual global turnover for breaching GDPR, or €20 million. Tiers of lesser fines address issues such as not having records in order, not notifying the supervising authority and data subject about a breach, or not conducting impact assessments.
To date, enterprises have had a wide range of policies for securing enterprise data on mobile devices—from implementing few or no controls on BYOD devices to issuing corporate-owned, locked-down mobile devices. However, even corporate-owned devices are not secured to the level that will be required by GDPR. According to Strategy Analytics’ report, Enterprise Mobility 2017—Adoption and Trends, June 1, 2017, 29 percent of surveyed companies reported that more than half of corporate smartphones are unlocked devices. And nearly a third of survey respondents do not manage corporate data on personal BYOD devices. With GDPR, enterprises must secure personal data, regardless of whether it is used on a mobile device owned by the company or those owned by employees.
The prospect of securing enterprise apps that contain personal information on users’ personal devices is daunting. The organization has to know which devices the employee will use and maintain updated security measures on all of those devices. Installing software or agents on a personal device can erode employee trust, thus defeating the goal of increasing employee engagement and productivity. And it is completely impractical to install device security on devices owned by company contractors and affiliates.
The difficulty of securing personal devices to meet compliance and privacy regulations, has led some EU organizations to begin re-issuing corporate-owned mobile devices, in spite of forfeiting BYOD cost savings. Securing corporate devices is easier than securing personal devices, but it still doesn’t solve the data privacy issue. Device security alone doesn’t guarantee compliance with privacy regulations. Devices can be lost or stolen. And even when they aren’t, device security measures can’t protect personal data once it leaves the device.
Fortunately, it is now possible and far easier to secure an enterprise mobile app rather than to try to secure thousands of different devices. Blue Cedar can help organizations meet GDPR monitoring and audit regulations by protecting enterprise mobile apps and data. Security follows the app everywhere it is used. Whether data is at rest or in motion, it is protected without affecting the user experience. Data controllers and processors gain robust, consistent data protection across their employees’ and partners’ mobile devices—managed or unmanaged—without the cost, complexity, or risk associated with securing individual devices.
That’s certainly a good start. Blue Cedar can help simplify and manage enterprise mobility in many other ways as well. To learn more about the company’s unique approach and securing advancements for enterprise mobile apps, visit http://www.bluecedar.com/product.