What is the EU General Data Protection Regulation (GDPR)?
The EU General Data Protection Regulation (GDPR) is a European Union regulation which aims to harmonize the rules concerning the processing of personal data by private companies and public bodies across the Union.
The amount of personal data downloaded, saved or processed on smartphones and tablet computers is constantly increasing, which is why this information should be appropriately protected on said devices. In addition, the GDPR requires that companies and governmental institutions be able to prove their implementation of protection mechanisms to secure personal data on their mobile terminal devices.
Appropriate technologies and default settings promoting data protection must be guaranteed. This means that adequate technical and organizational measures (TOMs) must be implemented.
What does the GDPR require from companies and public bodies?
In addition to documentation and information obligations and the principle of data minimization, companies’ and governments’ IT departments must operate in compliance with the EU General Data Protection Regulation. What does that mean exactly?
There must be evidence of the protection mechanisms in place
Companies and institutions must be able to prove that they implement appropriate protection mechanisms in order to protect the personal data belonging to their clients, business partners, citizens and staff on mobile terminal devices. There must be detailed evidence of the protection mechanisms applied on file, and related documents must be continually updated, even if there are no incidents.
Measures for appropriate data protection
Amongst others, Article 5, paragraph 2 sets forth the integrity and confidentiality of the data. This can only be achieved by means of the segregation of corporate and personal data and applications on mobile terminal devices. This is the only way to reliably protect corporate and governmental data from third-party threats and their unauthorized usage or dissemination.
In addition, Article 32 requires that precautions be taken for the protection of the data themselves, e.g. by means of encryption. These provisions are fulfilled if corporate data and applications are located in an encrypted container, and if all communications between the mobile terminal device and the company’s IT department are seamlessly encrypted.
This also makes data protection impact assessments as defined in Article 35 easier. If the data are not strictly segregated on the device, such impact assessments will not permit the evaluation of the protection of personal data, resulting in non-compliance with the GDPR.
Data protection by means of the correct technology
In accordance with Article 25, appropriate technologies and default settings promoting data protection must be guaranteed. This means that adequate technical and organizational measures (TOMs) must be implemented.
Which technical measures are required by the GDPR?
A container solution such as SecurePIM provides the following technical measures:
- Clear segregation of personal and corporate data on the device.
- In the SecurePIM Management Portal, the devices and data each device may access are predefined, as well as which security provisions must be respected.
- The IT administrator can also set additional tailored security rules for compliance (e.g. not allowing the copying of data outside the container) and define countermeasures to be applied in the event of applications no longer meeting the defined prerequisites.
- The data are also protected from unauthorized third-party access because the container will automatically lock in the case of a jailbreak attack, for example, or it can be locked and deleted by the administrator if a device is lost.
Important principles underlying the EU General Data Protection Regulation (GDPR)
- Data security, data integrity
- Data encryption
- Protection of privacy
- A state-of-the-art solution
- Separation of corporate and personal data
SecurePIM fulfills these principles out-of-the-box. The solution is easy to install and can be integrated into your existing infrastructure. You don’t even have to manage the device.
SecurePIM – the Container app for secure mobile work
The secure communication app SecurePIM for iOS and Android unites all important business features in a single app. Request your free trial version now.
Trust SecurePIM – If you get fined, you will get a refund
Thanks to SecurePIM, you can work securely on mobile terminal devices and fulfil the provisions set forth in the EU General Data Protection Regulation.
We promise that the encryption in the SecurePIM containers is sufficiently efficient to provide a “level of security appropriate to the risk” as defined in Article 32 of the EU General Data Protection Regulation (GDPR) for personal data. This means that a German supervisory authority cannot fine companies implementing SecurePIM in accordance with Article 58, paragraph 2 i), in relation to Article 83 of the GDPR. However, if you should happen to be fined despite the use of SecurePIM, we promise to refund the full amounts paid for an annual license. *)
*) To obtain this refund, the following requirements must be fulfilled:
- The latest version of SecurePIM was in use.
- Sufficient security rules were implemented by the lease-holder.
- The fine was imposed by the German supervisory authority in charge of ensuring compliance with the EU General Data Protection Regulation (GDPR) (cf. Article 51 ff. GDPR)
- Non-compliance was due to the design and implementation of SecurePIM’s encryption, for which Virtual Solution, as the manufacturer of the product, is liable, and that it is not e.g. the result of the lease-holder’s (lacking) organisational rules which would have enabled the circumvention of barriers set up by SecurePIM (e.g. because it was not prohibited to share PINs).