If you access company info on your phone, you need think about GDPR
GDPR applies to personal data and defines that term broadly. It includes everything from name and address through to age, email address, a customer number, and even IP addresses.
If your employees access any of that information on a mobile device, perhaps via a CRM system, company contact database, help desk app, or order processing system, then their mobile device could be a potential weak point. So how confident do you feel in your mobile infrastructure?
The worry for companies using mobile devices is that a lack of security might end up breaking strict rules around how you protect that data. These fall under principle six of the Regulations, which mandate “appropriate security“. That includes protection against “accidental loss, destruction or damage”. That’s pretty wide-ranging, giving regulators plenty of latitude.
Employees increasingly use mobile devices for work, especially during the pandemic when the lines between home and business are blurred. Any time they access data from company servers or from an online service, they turn that device into a potential weak spot.
Bring Your Own Device (BYOD) is a particular GDPR risk
Hopefully you’ll have policies governing how employees can use devices for work purposes, but what about the devices that don’t comply with those policies? BYOD devices are a particular risk here, as employees using their own smartphones and tablets might run unauthorised and insecure applications.
Phones don’t even need to be rooted or jail-broken to host dangerous software. There are plenty of potentially unwanted programs (PUPs) that play fast and loose with device data. Even legitimate applications that don’t necessarily violate app store rules might still not be robust enough to satisfy GDPR requirements. What servers do those apps connect to, and where? Do they encrypt sensitive data that your employees store on those devices? What other apps are on the phone and do they have access to that data?
Phones are portable computers
Mobile devices are especially vulnerable to attack because they are prone to being mislaid or left unattended in publicly accessible places. An improperly secured device carrying customer data left in a taxi or a coffee shop is a potential liability. These incidents plague companies repeatedly.
The UK Information Commissioner’s Office counted 46 separate incidents of lost or stolen devices containing personal data in Q2 2020-21.
Talking of coffee shops, there’s another characteristic that makes mobile devices especially vulnerable to GDPR infractions: portability. When they connect to publicly accessible Wi-Fi networks, smartphones risk man-in-the-middle (MITM) attacks.
These place rogue access points between the device and the legitimate network, enabling them to intercept all data before passing it along. If a mobile app or browser session accesses PII (personally identifiable information) over that network, the attacker can compromise it and place the user’s organisation in violation of GDPR.
Every device must be protected under GDPR’s strict rules.
Smartphones and tablets are no exception. A Mobile Threat Defence solution is important to protect the device both from on-board attempts to pilfer data and from malicious network connections. It can scan software on the phone to see how it behaves, spotting any apps that are doing things out of the ordinary. If it spots apps trying to do things they shouldn’t, it will give users a clear alert. And if it sees the phone connecting to a suspicious network, it will sound the alarm bell immediately to avoid your company incurring stiff penalties later.
Those penalties are no joke, and in severe cases can range up to €20 million, or 4% of annual turnover. Isn’t it worth spending a few pounds now for peace of mind?
Want to understand more about GDPR and your mobile devices?
I recently presented a workshop for OxLEP Business on Data Protection for Small Businesses, where I covered these points in greater depth. You can watch the recording for free here.