With GDPR only seven months away now, one aspect of compliance we all need to consider is how to secure personally identifiable information (PII) on laptops and other mobile devices. This data is harder to control and at a greater risk of being compromised because it’s not behind the company firewall.
However, I believe that there’s no need to panic. If you take a strategic approach to data protection you’re well on the way to achieving compliance, and there are some useful tools available to help you address the mobile issue.
The first step is to work out where your PII actually is. Around 20 per cent is likely to be in specific applications such as databases and CRM systems, and this is straightforward to identify and protect. It should be easy to find any copies on mobile devices, and if they don’t need to be there you can simply move them to secure internal storage or delete them.
The remaining 80 per cent of data is harder to categorise. But do you actually need to protect most of this information? Material such as proposals, reports, technical documentation and internal quality, process and admin documents all contain minimal PII – primarily just the name and job title of the recipient, which is already in the public domain on LinkedIn etc. These documents aren’t are a significant GDPR risk and normal good security practice will be suitable.
If you believe there’s PII on corporate mobile devices, you can use software tools such as Druva inSync to scan files and data as part of the device’s backup and recovery process. This will identify potential PII and other sensitive data, which you can then protect or delete in line with your company policy. You don’t even have to buy the software yourself - we offer this capability as a service, and as well as providing backup and restoration we offer compliance and legal hold with scalable, encrypted backup storage.
Most important of all, you need a data security policy for your company’s mobile devices which is enforceable, realistic, unambiguous, acceptable to users and avoids violating personal privacy laws. The key is to minimise the amount of data transferred to or held on the device. There are various ways to do this, and we’re happy to advise you on the options.
Overall I believe GDPR is a business issue, not a technology problem. Technology can help by providing useful search and archive tools but the key is a clearly defined and well understood GDPR adherence policy, with appropriate business processes to ensure compliance and continual good cyber security discipline.
There’s more information in my recent article in GDPR:Report.