The General Data Protection Regulation (GDPR), which comes into effect on May 25th, is the greatest update to data protection ever seen, and companies are said to be moving hastily to ensure that they are GDPR compliant by the deadline. This doesn’t just include companies that use customer data; the handling of the private information of employees who are EU citizens must also be GDPR compliant. A good rule for businesses to follow is that if the customer, the employee or the business operates within the EU, GDPR must be adhered to.
Endpoint security is a critical part of the information security stack of any organization. A variety of technologies such as anti-malware solutions, secure web gateways, and endpoint management systems are used to ensure that desktops, laptops and mobile devices are not compromised. GDPR will only increase the importance of securing endpoints. However, these security systems all involve, to a greater or lesser extent, the monitoring of employees’ private data and internet activity. This is particularly the case with smartphones and tablets which are generally used for both personal and business purposes.
How then, do we reconcile the requirement for comprehensive protection of company and customer data with the privacy rights of employees as laid down by the GDPR?
GDPR still allows for employee monitoring, but some additional rules must be followed regarding the extent of this monitoring and the handling of data collected as part of this activity. The key principle is one of proportionality: the benefits of security measures must significantly outweigh the reduction in employee privacy. If the benefits can’t be shown to substantially increase security, then data collection and subsequent security protocols legally cannot be implemented. This applies to monitoring device usage on desktops, laptops and mobile devices.
This doesn’t completely stop businesses from monitoring device usage. If a business’s proposed security measures can pass a proportionality test, they are entitled, if they so choose, to monitor device usage and to ensure a safe working environment for all. Under GDPR, in some circumstances, organizations will need to conduct a Privacy Impact Assessment (PIA) in order to clarify if they have a good enough reason to monitor employee internet usage. This will occur on a case by case basis, so employee monitoring rulings may vary depending on specific company types and the industries in which the company operates.
Reasons for Monitoring Employee Devices
Monitoring employee devices helps to detect and prevent loss of personal data, to detect and prevent loss or theft of intellectual/physical property, and to improve employee productivity and performance. It has already been determined under GDPR that these are valid reasons to monitor employees. This is important to note, as employee consent alone is not considered an acceptable reason to collect and store personal data.
If a company can prove that they not only have their employees’ consent but that the reasons behind the security measure are valid, then there shouldn’t be a problem with GDPR. However, if there are multiple security measures that provide the same or very similar results, then the least invasive measure must be chosen. As is now widely known, failure to comply with GDPR can result in penalties and fines as high as 4% of annual global revenue.
GDPR & Endpoint Security
GDPR will also affect the ways in which companies secure employees’ corporate-owned mobile devices. Businesses with Enterprise Mobility Management (EMM) systems and other mobile security products may have to adapt their chosen solutions to fall in line with these new regulations. A record will have to be kept of how and when an employee gives their consent to store and use their personal data. As well as this, the organization will need to record where their data came from and the parties to which it was shared. An information audit should be carried out to ensure there is transparency and accountability should unauthorized access to employee data occur.
Mobile security solutions should, in fact, help businesses move towards their GDPR compliance objectives, for example, in the event of a data breach. Mobile security solutions can provide a clear log of events that ultimately lead up to the data breach. This is done with pre-agreed access to all corporate-owned mobile devices so that the administrator can see which devices and apps accessed which business services. Should this security measure be in place, the data protection officer is able to make a better, more informed decision on the next steps.
Mobile security solutions can also help to separate personal and business data. The mobile device controller should be unable to access employees’ personal apps, emails, etc. This ties into minimizing the invasiveness of cyber security solutions. This separation increases the organization’s security, but also indirectly improves employee morale and productivity. Check out our blog post to find out more on why mobile content filtering can lead to a better, more productive work environment.
Why Corrata Doesn’t Require Change
Corrata is already GDPR-compliant by design. Both our future and existing clients have nothing to worry about when using our unique technology because the Corrata app does all of its processing on-device, only reaching to the Corrata Cloud for threat intelligence and configuration information. This minimizes invasiveness and eliminates the need for the organization to log device usage. By minimizing data collection Corrata also minimizes privacy concerns and ensures that users stay safe and secure, from both cyber threats and GDPR concerns.
In contrast, mobile security solution providers using the traditional VPN gateway or proxy approach must collect data on all employees’ internet usage for their security controls to function. Corrata is unique in that employee internet activity does not need to be viewed by any system external to the device. Corrata is just as powerful in protecting the device from web-based cyber threats, but every mobile device with the Corrata app installed simply has a filter, not a supervisor. If a device attempts to connect to a malicious host, the app simply blocks access to the host. Such an access attempt can be reported to the information security team as it is of legitimate interest (passing the proportionality test). However, the general private device activity of the employee remains private.
GDPR will force changes to end-point security solutions particularly for mobile devices. The enhanced requirements to protect private data and to detect when it has been compromised will make end-point security more important than ever. However technical solutions whose architectures require continuous external monitoring of device activity may well fall foul of the new regulations. When we founded Corrata in early 2016 it was with just this challenge in mind – to create a solution which delivers best in class mobile security without compromising employee privacy. We strongly believe that today our mobile security solution answers this challenge. The implementation of GDPR means that security architects in every organization need to be thinking in exactly this way – how to strike the correct balance between employee privacy and effective information security.