If recent events have taught us anything, it’s that when it comes to organizations handling data, consumer distrust is at an all-time high. End users have become increasingly wary of where their information goes, how it’s being used and who can access it.

In an attempt to tighten data regulations across Europe, the EU has made changes to the General Data Protection Regulations (GDPR) which come into effect on May 25, 2018. These new amendments will completely overhaul how businesses process and handle customer data. Perhaps most importantly, the provisions extend to non-EU companies processing data of EU citizens, meaning its effects will be felt across the globe. It’s good to have a GDPR action plan to ensure you and your business processes are ready for the new amendments.

Why mobile?

a) Mobile is a blind spot for your IT team

The majority of internet traffic is now happening on mobile. As a result, employees regularly access valuable employee and customer data from their smartphones. Most enterprises lack visibility into this traffic and are therefore left in the dark when it comes to understanding what data is being shared, and where it’s being stored.

b) Mobile applications are less secure

A number of factors make mobile devices easier to exploit. From the smaller screen size and on-the-go nature of the platform making it harder inspect malicious pages – to the lack of privacy and security built into a number of mobile applications. Hackers capitalize on the fact that mobile devices are inherently personal and therefore users are less cautious with the information they give away.

c) Mobile attacks are increasing

Mobile is a lucrative gateway to the enterprise, and attackers now tailor their phishing attack campaigns and design their malicious software entirely for mobile platforms. Wandera research shows that mobile attacks have exploded over the last few years with a new phishing site being created every 20 seconds, on top of the millions of pages that are already in circulation.

By 2019, 30% of organizations will face significant financial exposure from regulatory bodies due to their failure of GDPR compliance to protect personal data on mobile devices. Gartner


What’s the problem?

You’re probably already aware that a data breach over mobile has the potential to be catastrophic in terms of business reputation and overall shareholder value. Avoiding GDPR compliance can also lead to crippling fines of up to €20 million, or 4% annual global turnover – whichever is higher.
Mobile presents a significant risk when it comes to safeguarding data.

  • Organizations must prevent any loss of corporate data, either through exposure to sensitive data through cyber attacks or through unsanctioned file sharing on cloud storage services.
  • Businesses must also prevent any loss of personal data that takes place on work-assigned devices. Even personal employee credentials are considered PII and employers have a legal obligation to protect it.
  • It is well documented that the exposure of just one set of credentials, even seemingly harmless unimportant data of an individual, can lead to more sophisticated breaches exposing highly sensitive data.

Your GDPR action plan for mobile apps

There is no ‘one size fits all’ solution for GDPR for mobile apps and no such thing as a silver bullet for GDPR compliance in general. However, as is the case with other areas of your organization, there are a number of criteria that must be considered when developing your GDPR action plan for mobile. Below are the key factors that should be taken into account when preparing your GDPR action plan.

1) Prepare a data inventory across your fleet  

The new GDPR compliance guidelines require organizations to have a full understanding of which applications are installed across the fleet, what data these apps are processing and where geographically this data is being transferred. Running an app inventory that allows you to thoroughly analyze the applications across your fleet will help you identify where weak spots may lie within your organization.

 2) Implement appropriate security measures

 If things do go wrong – and sometimes they will even with the best strategies in place – the first thing that will be assessed is whether your organization implemented “reasonable security measures”. Being proactive in blocking malicious applications, protecting against phishing and preventing network attacks will reduce the risk of a breach and show that you’re committed to preventing an attack.

It’s also imperative that you have a system that enables a complete wipe of your data if the very worst happens. Although an enterprise mobility management solution may be able to do this, analysts and experts alike have agreed that an EMM is not sufficient when it comes to securing devices and their data. With Gartner explaining that “malicious threats or data leakage risks elude EMM controls” in its 2017 Market Guide for Mobile Threat Defense.

3) Perform regular vulnerability assessments

Vulnerabilities are known as the ‘lurking culprits’ of mobile security threats. You would likely never know they were there until one was specifically exploited. In order to achieve compliance on mobile, you will need to identify risk areas each time you conduct an audit – from users that have enabled third-party installs, to devices running out of date operating systems that may be harboring bugs that have since been fixed. On top of this, your organization will need to follow known breaches within the community to show you’re alerting your employees if their credentials may be exposed.

4) Be consistent in your acceptable use policy 

Having devices in your IT infrastructure that can connect to all areas of the web introduces risk to your business. Eliminate this risk by setting up a mobile policy that communicates your views on things like file sharing and social media use across the business that mirrors your internal policy. For example: are you blocking gambling applications that may be accessed via their mobile site through the browser? Filtering content for preventative security is an effective way of reducing the risk of a breach. 

5) Know your data breach and notification protocols

Under the new legislation, companies must disclose data breaches to regulators and in certain circumstances to affected individuals, within 72 hours of their occurrence. The longer it takes you to detect and respond to the threat, the higher the risk and costs are to remediate. Integrate your mobile threat alert systems into your wider security network, ensuring the right notifications get to the right people in the fastest, most digestible way possible.

6) Educate your employees

GDPR is not an issue for your IT team, it’s an issue to be felt by every person within your organization. Familiarize your team with the fundamentals of data protection and how they can help secure their mobile devices. Provide relevant training on topics like mobile phishing and malware, and encourage an open policy that rewards honesty if potential security incidents are escalated to your compliance team.