Under GDPR guidelines, all devices that can access personal data must be protected. That includes employees’ smartphones and tablets.
“Personal data” as defined by GDPR is fairly broad, including everything from someone’s name and address, their age, email address, an account number, and even IP addresses.
Without data security on your employees’ personal or corporate mobile devices, the personal data of customers, suppliers and colleagues is at risk from accidental loss, or even deliberate exfiltration.
Principle six of the Regulations mandates “appropriate security“, which includes protection against “accidental loss, destruction or damage”.
But what is “appropriate security” when it comes to mobile devices? Well, depending on whether you allow BYOD (Bring your Own Device) or have Corporate-owned devices, you should think about
- How do you ensure that devices are patched and up-to-date?
- Who has access to the device?
- How does that device access business data – and what is that data?
- What threats to that device might cause a breach of compliance? And how will you know?
Did you know? Phishing (3,091) was the biggest cause of all the cyber-related data breaches reported to the UK Information Commissioner’s Office in Q4 2021-22
Ensuring GDPR compliance on mobile devices
The ICO considers Corporate devices the most secure option for mobile devices accessing business data, but it can be expensive to supply separate devices for all employees.
To meet the criteria for GDPR compliance for Corporate devices you should ensure that:
- Devices can be supported and updated remotely
- Data loss prevention is in place to stop data from exfiltrated from the device, and
- Remote access authentication is securely configured and use MFA
More and more businesses are opting for a BYOD environment, giving staff the flexibility to work from their own devices. However, this poses challenges for GDPR compliance and data security when those devices can access business information.
On personal devices are allowed to access personal data – and that includes receiving emails from or about customers, for example – you should ensure that:
- Devices are locked with a secure passcode
- MFA is set up on email and other business accounts
- Devices are safely configured and patched with the latest OS
- Devices are protected against mobile-borne threats like phishing and malware that can exfiltrate customer data.
- Family members don’t have access to personally identifiable information about employees, suppliers or customers
How MTD and MDM help you maintain GDPR compliance
If you have MDM (Mobile Device Management) or EMM in place already, you can easily layer Mobile Threat Defence on top. This is the most effective way to meet the criteria for GDPR compliance for Corporate devices. It ensures that:
– devices can be supported and updated remotely
– data loss prevention is in place to stop data from exfiltrated from the device, and
– remote access authentication is securely configured and uses MFA.
We use Trustd MTD here at MetCloud, and have found it a good way to plug the gaps in perimeter defences and keep our data safe. Trustd MTD’s privacy-first design means it’s less intrusive than typical MDMs, and can be deployed as a fast, standalone solution to secure BYOD and/or Corporate devices against viruses and spyware, phishing, Man-in-the-Middle attacks, and protect personal data in your business from data breaches.
On devices with containerisation, Trustd can be installed on both work and personal profiles.
Trustd MTD also supports a Zero-Trust access strategy, blocking access from an untrusted mobile device or one that doesn’t meet your security criteria, from accessing your business data in Microsoft Cloud Apps.
To access the infographic please click this link: https://issuu.com/metcloud/docs/gdpr_infographic
Also check out our press release: METCLOUD Partners with Traced to Help UK Businesses Struggling with BYOD Security – Business Mondays
Stay tuned for more updates with Trustd (Powered by METCLOUD)!
In the meantime, contact a member of our team today on 0121 227 0730 or email email@example.com for any of your cyber security concerns.