There is a major global trend in compliance towards codifying into the law the concept of reasonable, common sense security standards. Compliance is moving away from compliance on paper to compliance in practice. The General Data Protection Regulation (GDPR), which was enacted in April 2016 and will become fully applicable as of May 25, 2018, will bring Europe under one comprehensive and harmonized data protection and privacy legal regime. GDPR applies to controllers in the European Union (EU), as well as those located outside the EU if the individual whose personal data is being processed is located in the EU. “Controller” is defined as the organization that decides the purpose and means of processing the personal data. With regard to processing personal data of employees in connection with their work, the controller would be the employer.
While Europe leads the world in its focus on data privacy, the principles for processing personal data under GDPR are familiar and standards-based (see blog EMM and the Law here):
- Lawful, fair, and transparent processing: Controllers must have valid grounds for processing the personal data.
- Purpose: There must be a clear and explicit reason for processing the personal data.
- Data minimization: The data processed should be limited to what is needed for the particular purpose. Access should only be granted to those people who need it for the particular purpose.
- Accuracy: The data should be accurate and inaccuracies should be easily rectified.
- Storage limitation: The data should be retained only for as long as it is needed for the particular purpose.
- Integrity and confidentiality: The data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized processing and against accidental loss, using appropriate technical or organizational measures.
- Accountability: The controller should be able to demonstrate compliance with the above principles.
As with other data privacy and security standards, GDPR includes the concept of proportionality – the controller should implement appropriate technical and organizational measures to ensure and demonstrate compliance. The measures taken by the controller should be proportionate to the processing in question.
Privacy by Design and Privacy by Default – Article 25 of GDPR
Privacy by design is not a new concept, but its inclusion in GDPR shows how practical, risk-based measures are now becoming legal requirements. Privacy by design requires the controller to implement appropriate technical and organizational measures from the initial setup of operations. In other words, privacy cannot be an afterthought; rather, privacy issues should be considered and risk-based security measures taken throughout the lifecycle of the process, from initial design through data deletion.
Privacy by default means that the controller should put in place appropriate technical and organizational measures to ensure that, by default, only the needed amount of personal data is collected and processed. The user shouldn’t have to opt out from giving extra information. The controller cannot gather more information “just in case” it might want to use it later.
Accountability means monitoring and compliance. A controller needs to be able to show that it has adequate security in place and that compliance is monitored. The penalties for non-compliance with GDPR are substantial: the maximum fines are the greater of 20 million euros or 4% of the company’s worldwide revenue.
EMM importance for GDPR compliance
Enterprise Mobility Management (EMM) solutions, such as MobileIron, are an important component of a reasonable GDPR compliance program:
- MobileIron allows the IT administrator of the controller to establish a clear boundary between personal and business data on the device. The controller doesn’t have access to the content of personal apps or personal email accounts on the device. This is critical to the data minimization as well as the integrity and confidentiality principle of GDPR.
- MobileIron gives the IT administrator visibility into which devices and apps are accessing business services. In the case of a data breach, the IT administrator can show through audit logging exactly what actions took place leading up to the compromise and what, if any, actions IT took as a result. This provides a clear record of any unauthorized access to business services and supports the GDPR principle of integrity and confidentiality, as well as of accountability. MobileIron’s solution enables the IT administrator to:
- a. Manage inventory
- i. Identify authorized and unauthorized devices.
- ii. Identify authorized and unauthorized apps.
- b. Whitelist applications
- i. Establish a subset of applications that are authorized to run on a device and access business services.
- c. Protect Access
- i. Allow only authorized users, devices, and apps to access business services, whether on-premises or in the cloud.
- d. Provide audit logging
- i. Monitor administrative actions and business data flows.
- Finally, MobileIron allows the IT administrator to protect the device from security threats, which is important for the principle of integrity and confidentiality, as well as of accountability. MobileIron’s solution enables the IT administrator to enforce compliance:
- a. Apply appropriate security configurations and policies to the devices and applications.
- b. Monitor the security compliance of the device and applications, including attacks on the integrity of the operating system to jailbreak or root the device.
- c. Take remediation actions if the device or application is out of compliance
A controller (i.e., enterprise) cannot reasonably believe that it is providing adequate security for personal data unless it can demonstrate that it has implemented appropriate EMM controls and procedures to ensure separation of business data from personal data on the device, and to protect that business data from external threats and unauthorized use or disclosure. The MobileIron solution provides a controller with a robust framework for compliance with the data minimization, integrity and confidentiality, and accountability principles of GDPR.