As we found with the recent Facebook/ Cambridge Analytica situation, companies and organizations across multiple sectors are collecting, managing, utilizing and processing vast amounts of consumer data every single day. This data, often stored across personal and company devices, is increasingly being accessed for unintended uses, such as targeted advertising, etc.
The General Data Protection Regulation (GDPR), due to be implemented EU-wide on May 25th, 2018 will build greater protections for personal data, with stricter controls and guidelines over how it is stored and used by organizations. Any European and U.S.-based company that does business or offers services in Europe need to be up to code once GDPR compliance goes into effect. CISOs will play a critical role in making their organizations comply with GDPR as they recognize the potential exposure to non-compliance that mobile devices storing both personal and corporate data represent.
Organizations are looking at potential vulnerabilities and how to identify and protect the Personally Identifiable Information (PII) that they hold. One of the more difficult challenges will be securing any information held on any un-secured mobile devices and laptops, where it is harder to track and presents a significant compliance challenge to companies. However, even with this risk in mind, recent research by WatchGuard Technologies has highlighted that more than a quarter (28%) of EU organizations believe that they don’t need to comply with the legislation.
On the other hand, according to a recent study by mobile security firm, Lookout, 84 percent of U.S. security and IT executives agree that personal data located on employees’ mobile devices could put their company at risk for GDPR noncompliance. In fact, 64% of U.S. employees say they access their organization’s customer, partner and employee data from mobile devices.
A GDPR breach has a big price tag attached, where non-compliance could lead to huge fines of 20 million euros, or four percent of a company’s worldwide annual revenue, depending on which figure is the largest. This punitive model significantly impacts businesses of all sizes.
Companies with employees using mobile devices to access customer data and store their personal data, need to find a way to be compliant in the age of GDPR, without disrupting established business models. One problem facing the telecoms industry more than others is how to handle data on devices, whether in the hands of the owner, or in the secondhand market after devices have been taken back for recycling, repair, or maintenance.
The challenge of data left on devices
Though companies are getting much better at locking-down problem data, the fact is that many don’t know how much data is stored on their employee’s mobile devices. Whether it’s metadata collected on mobile phones or data extracted from communications over a desktop, there is unknown data being held by company hands when processing mobile phones and laptops, and that data is being passed onto third party suppliers and resellers long after a user has finished with their device.
This creates a serious challenge for operators, service providers, IT Integrators and IT support companies offering any form of device trade-in, recycling or management service. The onus is on the carrier and employer to make sure that customer data is stored with the highest standards of security, and that all data is removed from devices that are recycled or traded in.
Carriers and operators
The problem is pronounced for carriers and operators, who deal with heavy volumes of data traffic transmitted every day. This inherently means that they are responsible for the safety of vast amounts of customer financial and billing information, as well as people’s personal credentials. As they actively engage in device recycling, sales, resale’s and exchanges, this PII data could quickly prove dangerous under the new law. Companies will need to implement new solutions to process and remove data, ensuring that they educate employees and customers on how to address data handling in a way in which they can understand.
There are many ways in which companies may put such a solution into effect. One way to keep up to date with the regulations and mitigate significant risk is by ensuring that systems and employees ask for customer consent at each step and that they maintain the capability to erase their data footprint entirely if requested.
Looking to the future
An emerging technology that will soon further complicate data responsibility in the era of GDPR is IoT. We are moving beyond the situation where user data is stored on a small number of specific devices, to a new environment where multiple small devices utilize and share personal data across networks. As these technologies become ever more prevalent, telecoms companies will have a duty to protect the growing influx of data that pings from and across these devices.
GDPR is about the appropriate use of data that companies are being trusted with, by anyone with access to that data. In the end, that’s about customer trust, which every brand needs to thrive. Users expect their data to be protected by their providers and companies need to design processes and seek out recycling and resale partners that help them deliver on their data responsibilities throughout the value chain.
