One of the highest GDPR fines imposed in Germany to date was collected in November 2019 by the Deutsche Wohnen SE. The real estate company stored customers’ personal data without a legal basis. Data protection violations of this kind can result in fines for companies of up to EUR 20 million or up to four percent of the annual global turnover generated in the last financial year (Article 83 (5) GDPR). Not to mention the loss of reputation. But public authorities are also affected by the GDPR. The role model function alone forces public authorities to implement it. To avoid infringements and penalties, companies and authorities need to know the facts about the GDPR. In this blog post, we clarify the most important questions about the GDPR, particularly with regard to mobile working and the use of private devices for work and business purposes (Bring-Your-Own-Device – BYOD).
What is the GDPR?
The GDPR is a European Union regulation that standardizes the rules for the processing of personal data by private companies and public bodies throughout the EU.
Personal data is increasingly being accessed, stored or processed on smartphones and tablets and must therefore also be protected there in accordance with the GDPR. This is particularly relevant if, for example, you use your private cell phone for business purposes and must comply with the GDPR.
What does the GDPR require of companies and authorities?
In addition to documentation and information obligations and the principle of data minimization, IT must be operated in accordance with the GDPR. But what does that mean in concrete terms?
Protective mechanisms must be proven
Companies and public authorities must prove that they have introduced appropriate protection mechanisms to protect the personal data of customers, business partners, citizens and employees on mobile devices. According to the GDPR, these protection mechanisms must also be extensively documented. This documentation must be proven at all times, even if there are no cases of damage.
Measures for sensible data protection
Article 5(1)(f) of the GDPR requires, among other things, the integrity and confidentiality of data. This can only be achieved through a clean separation of business/service and private data and applications on the mobile device. This is the only way to reliably protect business/service data from external threats and unauthorized use or disclosure.
Article 32 also requires that precautions must be taken to ensure the security of the data itself, e.g. by means of encryption. If the company or business data and applications are stored in an encrypted container and communication from the mobile device to the IT system is also fully encrypted, the requirements of the GDPR are met.
This also facilitates the data protection impact assessments required by Article 35. If the data on the device is not strictly separated, the audit will result in the consequences for the protection of personal data becoming incalculable and thus the GDPR will not be complied with.
Data protection through the right technology
According to Article 25, data protection must be ensured through the right technology and data protection-friendly default settings. To this end, appropriate technical and organizational measures (TOMs) must be taken.
The following principles of the GDPR apply if you wish to use your private smartphone/tablet for business purposes:
- Data security, data integrity
- Encryption of data
- Protection of privacy
- A solution that is “state of the art”
- Separation of private and business
With SecurePIM, you comply with these GDPR principles as standard. The solution is easy to install and adapts to your infrastructure. You don’t even need mobile device management (MDM).
With a container solution such as SecurePIM, you can introduce GDPR-compliant BYOD
SecurePIM offers the following technical measures, for example:
- SecurePIM enables a clear separation between private and business data on the device.
- The SecurePIM Management Portal specifies which devices may access which data and which security requirements must be observed.
- The IT administrator can also enforce compliance through sensible security regulations (e.g. prohibiting the copying of data outside the container) and take countermeasures if the application no longer meets the requirements.
- The data is also protected against unauthorized access, as the container closes automatically in the event of a jailbreak attack, for example, or can be locked and deleted by the administrator if the end device is lost.
Read more about container technology in our free white paper “Container technology: the future-proof solution for IT security on smartphones and tablets”.
This blog article was originally published on November 11, 2020 and last updated on February 18, 2022.