The dawn of the European Union General Data Protection Regulation (GDPR) is upon us, but organizations are overlooking the risk of mobile devices. The cost for non-compliance is steep. For example, if the Equifax breach occurred under GDPR, it is estimated that its fine would have been more than $120 million.
It is no wonder that 77 percent of organizations surveyed by PwC planned to spend $1 million or more on GDPR compliance. Yet, a recent Gartner press release suggests that by the end of 2018, “more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.”
To achieve GDPR compliance, most companies embark on a data mapping exercise to determine where GDPR regulated data originates and where it flows. Yet, it’s surprising that many of these companies are overlooking a blind spot: mobile devices. In fact, a recent Lookout survey found that 84 percent of IT executives agree that the personal data access on their employees’ mobile device could put their company at risk for GDPR non-compliance.
The majority of employees use the same phone for personal and work purposes, including the access of sensitive data, which results in security and compliance challenges for enterprises.
Don’t Forget the Right to be Forgotten
According to Article 17 of the GDPR, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.”
This is commonly referred to as the “right to be forgotten.” Mobile devices and mobile apps present a serious risk to the right to be forgotten for a number of reasons. First, the majority of employees access customer, partner and employee data from their mobile phone, including calendars, email, contacts and enterprise apps. Additionally, not all mobile apps have been developed with GDPR in mind and may not adhere with the right to be forgotten.
In many cases, the best mobile apps enable workflows that pull data from multiple sources called “mashups.” These mashups are great for productivity, but imagine a mobile app that leverages an API to sync with SaaS cloud data with the mobile device. It is unlikely these integrations are concerned with the active removal of GDPR-regulated data.
Continuing this example, let’s say that a customer requests that a company delete their information. That company may be able to enforce active removal through their SaaS application, but would lack visibility into any sort of mobile device app integration.
If one of those sales leads requested that the company delete their information, the company would not know about, nor have access to, the data in those personal apps and cloud storage instances, and could potentially incur a GDPR infringement. Some organizations incorrectly assume that enterprise mobility management or mobile device management provides visibility into this risk, but the fact is that these solutions provide no insight into how mobile apps are using data.
The Risk of Malicious Apps is Real
In addition to apps that leak data, organizations need to be aware of mobile risks related to malicious mobile apps.
According to Article 5 of the GDPR, “Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”
Mobile devices have become the primary target for espionage and surveillance because of the wealth of data they contain, including location, camera, microphone and photos—just think how many times you’ve taken a picture of a whiteboard after an important meeting. More recently, these sophisticated attacks have become commoditized and duplicated by regular hackers to the extent that nation-state-caliber surveillance can be deployed by nearly anyone. Malicious apps that compromise the mobile device enable attacks to gain access to all of the information on the device, including contact records, SMS messages, photo albums and much more—a serious risk for GDPR.
Don’t Miss Mobile in the Call for Compliance
In the race toward GDPR deadline, many organizations conducted audits to “follow the PII.” However, most were looking at this simply from the perspective of managed PCs that access data. Organizations need to realize that mobile devices have the same access to data as PCs. In fact, mobile internet use surpassed the desktop in November 2016.
If organizations aren’t thinking about mobile as part of their GDPR compliance strategy, they are forgetting a critical component that could leave them exposed to costly fines.