Noel
Rivera

How to maintain GDPR compliance with Mobile Device Management

Noel Rivera

Aug 11, 2020

7 min read

What is GDPR?

GDPR is a regulation protocol that upholds the right of European citizens to have complete control over every aspect of their personal data. Any non-compliance with GDPR can result in hefty fines for the company. It essentially lays down, from an organizational point of view, the ground rules for collecting personal data from data subjects within the EU. It aims at increasing accountability regarding the personal data processing of EU data subjects.
It is now a ubiquitous business concern, maintaining compliance, due mainly to an ever-increasing number of regulations that require companies to be proactive about keeping their regulatory compliance requirements thoroughly understandable. Added to that, since a huge chunk of work is done on mobile devices, mobile device compliance is also of utmost importance at this point in time.

GDPR regulatory compliance

The GDPR was adopted by the European parliament in April 2016, and it came to full effect in May 2018. It was presented as a replacement for an outdated data protection directive created in 1995. Along with the data protection within the EU, GDPR also regulates the exportation of personal data outside the EU.

Smartphones have had quite an impact on the way organizations function, and this includes EU Institutions too. Some data protection issues relating to mobile devices that might be a hindrance to GDPR compliance include,

Breach of stored data: Data stored in a mobile device can be exposed to potential financial, reputational, or physical harm if adequate measures to secure the data are not in place. Such kind of data breaches may include; the mobile device being stolen along with the personal data it holds, the mobile device being sold or thrown away without clearing personal data, mobile apps using personal data, confidential data being available to third parties through file-sharing or file storage apps, data being intercepted or tampered with, in the cloud.

Communication Interception: Communications that involve confidential data can be intercepted due to any lack of security in communication protocol regarding emails or web traffic. Interceptions also occur if malware is present in the said device. One of the common ways in which communication interception can happen is through a compromised Wi-Fi access point.

BYOD related issues: These issues happen when there is a blurring of personal and professional use of the device. Data that is personal might mingle with confidential data can possibly cause a data breach. Other issues include rogue applications, managing different operating systems, pushing out updates, etc.

How can Hexnode help you maintain your GDPR compliance?

GDPR compliance for mobile devices can be achieved and maintained with a bit of help. IT should establish a comprehensively evaluated, company-wide mobile policy. This policy should be able to dictate the security posture of the mobile devices and also how data behaves when in these devices. Such a comprehensive policy can be enforced and monitored by an EMM or a UEM solution like Hexnode.

Hexnode’s well-rounded device management platform can help you maintain GDPR compliance in a consistent manner. The following are potentials risks that are addressed by GDPR rules and how Hexnode can mitigate them.

Possible Risk  How Hexnode solves it. 

Devices that are not compliant with company policies 

Admin can Identify, flag, and manage non-compliant devices remotely from the Hexnode portal. Restrictions may be placed on these devices, they could be disenrolled or a remote wipe may be initiated on them. Using dynamic device groups, admin can automate this process and make it much more efficient all around. It enables you to deploy bulk actions to devices that are not compliant. 
Breaking compliance can include rooting devices in the case of Android and jailbreaking devices in the case of iOS. 

Data access through unsecured applications 

With the help of Hexnode, managed app catalogs can be pushed to the devices. These catalogs may contain apps that are deemed secure by the organization.  

Admin can also initiate managed Google Play which only contains applications in the Google Play that are approved by the admin. 

Admin can also, remotely, uninstall applications without user intervention on targeted devices. 

With the help of app blacklisting functionality, admin can manually initiate bans on apps that are deemed unsecured by the organization. 

Unauthorized access to devices that are left unattended 

Unauthorized access can be avoided with the help of a clearly defined password standard that can be applied across all devices. With the help of  Hexnode, you can include password length, password history, and even special characters. 

Outdated apps or operating system 

Updating numerous devices one by one could be quite tedious, especially with an ecosystem filled with devices hailing from different platforms. Through the Hexnode, portal the admin can update both enterprise and store apps. OS updates can be scheduled for specific time periods to ensure minimal productivity loss. The admin can remotely push out these updates and patches to all devices without breaking a sweat. 

Connectivity over an unmanaged network 

Devices can be preconfigured with Wi-Fi networks and VPNs to ensure network protection. The security type, password and the accepted EAP method can be specified to ensure maximum security. Firewalls can also be enforced while the device is in contact with any public network. 

The admin can also less strict devices from using Wi-Fi or mobile data. 

Unauthorized access to sensitive data through BYO Devices 

Hexnode’s device management platform is fully integrated with Android Enterprise for Android devices. Separate work profiles can be created in BYO devices. This ensures that work data and personal data don’t intertwine. Separate passwords can also be applied to work profiles. 

For other platforms, you can blacklist, or whitelist based on the perceived risk of the said app. 
For Apple devices, a business container may be deployed to ensure that managed content and apps do not come in contact with unmanaged apps and content. 

Sharing of sensitive data intentionally or by accident 

Data sharing applications may be blacklisted, and other data sharing device functionalities such as Bluetooth, USB, NFC, and Android beam may be restricted. Copy and paste capabilities can also be disabled. Highly volatile data can be shared within the MDM server. Hexnode is even equipped with Hexnode Messenger, a fully secured and encrypted messenger that can be used for internal communication. 

Data compromised while in transit 

Data at rest is protected by the device encryption in place, what you should really look out for is the protection of data in transit. Confidential data can be intercepted and breached when it is being transmitted over the network if it is not well protected.   

Hexnode can help the enterprise extend Transport Level Security (TLS) by preconfiguring corporate Wi-Fi and directing the flow of data through a corporate VPN. 

Conclusion

Managing mobile devices is obviously a vital part of GDPR compliance. As mobile devices in organizations have increased over time, this subject has been snowballing and has been gathering more and more attention. And the discussion from efficiency at the workplace has shifted to privacy. People were starting to get concerned about the data that was being collected and how this data was being used. Organizations were accountable, and a regulatory system was needed to supervise this accountability.

So, as you employ more and more mobile devices in your organization, keep in mind that you are accountable for the data these devices hold. So, it is your responsibility to protect it and remain compliant with GDPR. Don’t slack on this; give it the attention it deserves and make your life a bit easier by using a device management platform like Hexnode.

Disclaimer: This article and the information in it do not constitute legal advice and is intended to support customers in their compliance efforts.

Share
  •  
  •  
  •  
  •  
  •  
Noel Rivera

Technical Blogger @ Hexnode. Existential and Curious.

Share your thoughts