PAUL CONATY OF CWSI
Paul Conaty, Lead Consultant and Solutions Architect at CWSI, looks at the particular challenges for Mobile Enterprise Solutions posed by GDPR and how compliance has already reaped benefits for some clients.
At any time, the introduction of GDPR would have forced massive change on how companies approached the challenge of managing data but coming (as it did) at a time when Enterprise Mobility was emerging as the key focus for many businesses, the impact of GDPR on this particular sector has been especially acute and it has forced companies to grapple with issues which they had never before had to consider.
Of course, the responsibilities that GDPR imposes on organisations don’t change because it’s pursuing a programme of Enterprise Mobility. But the practical implications of the GDPR regime for such programmes are massive; indeed, those aspects of Enterprise Mobility which are so attractive to businesses in the first place including the portability and ubiquity of mobile devices add massively to the challenge of meeting the new GDPR regulations.
In our experience, the key elements of GDPR from an Enterprise Mobility perspective are:
- Privacy by Design
- Explicit Consent
- Subject Access Rights
- Data Breach Notification
Each of these elements imposes onerous responsibilities on the relevant organisation.
Privacy by Design, for example, requires companies to understand what data is on a corporate mobile device by conducting a data flow mapping exercise to identify what data resides on, is transmitted to or from or is collected by the mobile device of an employee (their own device or a company device). The same principle will increasingly require third party vendors to offer clients privacy designs as part of core contracts going forward.
Data breach notification, as another example, requires companies to have procedures in place to be able to notify the relevant supervisory authority within 72 hours of the data controller becoming aware of the breach.
Much of the debate over the past year or so has focussed on the costs required to comply with GDPR. But there are benefits for businesses too; we’ve already seen examples of client companies identifying significant data weaknesses through the work they were required to do to comply with GDPR and addressing these weaknesses now has undoubtedly saved them from serious financial and reputational loss at some point in the future.
We have seen other companies realise the level of sensitive information – including financial information and sensitive competitor information – which departing employees had easy access to via their mobile devices and which would otherwise have walked out of the business with them.