As organizations around the world prepare for major new data privacy rules to take effect, their biggest challenge is taking stock of data and how they use it.
The General Data Protection Regulation (GDPR), which goes into effect in May 2018, governs the storage and processing of individuals' personal data. For IT departments, this regulation means they must review their handling of employees' and customers' information to ensure it meets new security requirements. Endpoint management products play an important role in helping IT get ready for GDPR requirements, but many of these tools don't yet have all the capabilities they need, experts said.
"It's going to be a huge risk if the organization is not able to control data that's part of GDPR," said Danny Frietman, co-founder of MobileMindz, an enterprise mobility consultancy in the Netherlands. "A lot of companies will not be able to cope with the magnitude of that change."
GDPR is a European Union (EU) regulation that aims to protect Europe residents' data, but it has worldwide ramifications. U.S.-based companies that have branches in the EU, use consultants based in the EU or have customers in the EU, for example, will all have to comply. GDPR would come into play for most organizations when it comes to protecting their employees' and customers' personally identifiable information (PII), such as home address, IP address or bank account details.
The role of endpoint management tools in GDPR
Mobile and desktop management tools allow administrators to implement the following technologies and features:
- multifactor authentication;
- application blacklisting;
- per-user security policies; and
- alerts that identify noncompliant activities.
Specifically for mobile devices, IT can use capabilities such as the following:
- remote wipe to remove a user's information once they leave the company;
- containerization to separate personal and corporate information and ensure that IT only accesses the identifiable data it really needs; and
- threat defense tools to be proactive about potential breaches.
MobileMindz, for instance, uses Apperian for mobile application management and adopted its enterprise app store to ensure all employees' apps that deal with sensitive data are secure, Frietman said.
But EMM tools lack the ability to allow for clear and efficient logging, reporting and auditing of what personal data an organization has. That's the bigger challenge for IT, said Frietman, whose firm is preparing clients and itself for GDPR.
"This is a huge opportunity for EMM vendors," he said. "It could solve a lot of questions for customers."
VMware, for one, has aimed over the past year to improve upon its existing data-reporting capabilities in Workspace One, a company spokesperson said. Workspace One Intelligence, announced at this year's VMworld, can help IT document information for GDPR requirements by gaining deeper insight into its data and running reports based on historical and future big data. It should be generally available before the regulation goes into effect in May, the spokesperson said.
Preparing a paper trail
The biggest change EUC administrators will need to enact to comply with GDPR requirements is around governance and data inventory -- an approach to managing information that's based on clear processes and roles. The regulation requires the entities that collect personal data be able to identify exactly what data they have, whose it is, why they have it, the purpose of keeping it and what they are going to do with it.
Clear documentation of all data will be key, said Chris Marsh, research director at 451 Research.
"You can point to that straight away if anyone came to you, and you can say, 'This is what the purpose was, and here's what we're doing with the data,'" Marsh said.
Organizations should also develop clear, written security and compliance policies that state who has access to what data and how they can use it. Can a human resources manager view employees' bank account information? Can IT administrators view GPS location from a user's mobile device? Can a salesperson who deals with customer information share data from a corporate app to a personal one?
"We are living with decentralized data, and companies should have thought about the impact of that data a while ago," Frietman said.
How the GDPR works
Danny Frietmanco-founder, MobileMindz
GDPR differs from its predecessor, the Data Protection Directive, in that it has tighter requirements for documenting and defining what data an organization processes and why. It also has a stricter definition of consent, which says companies must get "freely given, specific, informed and unambiguous" agreement from individuals to process their data. In addition, authorities that regulate GDPR will do so in standard fashion across the EU, rather than enforcing the regulation differently in each member state.
But what makes GDPR so complex is its wide-ranging classification of what constitutes personal data. The European definition of personal data is much wider than the U.S. definition of PII. It can even include biometric data, political opinions, health information, sexual orientation, trade union membership and more.
"Those things, according to the European view, are particularly susceptible to misuse in discrimination against individuals," said Tatiana Kruse, of counsel at global law firm Dentons.
GDPR includes dozens of requirements and suggested security guidelines for how to comply. For instance, certain companies must appoint a data protection officer and report breaches to authorities. They may also have to take data privacy into account when building IT systems and applications by using technologies such as pseudonymization, which masks data so it can't be attributed to a specific person -- an approach called privacy by design.
But the GDPR requirements do not include many specific security measures that IT must implement; a lot of the law will be figured out in litigation as regulators check into companies' compliance, said Joseph Jerome, a policy counsel on the Privacy and Data Project at the Center for Democracy and Technology in Washington, D.C.
"Everyone needs to be inventorying their personal data and take a broad characterization of this," Jerome said. "If you're putting things in writing, that's good. GDPR is going to lead to lots and lots of documentation."
How will GDPR change your compliance setup?
Understanding GDPR 'right to be forgotten'
Why GDPR compliance matters for every business