From a compliance perspective, the General Data Protection Regulation (GDPR) is a key focus area in global enterprises. This regulation was first introduced in January 2012 and will go live on May 25, 2018.

Refined by input from the European Council, European Parliament and European Commission, the GDPR, unlike a directive, will be directly applicable in all member states without any legislative requirements by individual governments.

To Whom Does the GDPR Apply?

The GDPR represents the most prominent change in data privacy regulations in the past two decades. Given that we’ve witnessed the fast growth of data storing and processing capabilities during this period, it is the logical next step for updating the privacy and security standards for data governance.

The GDPR applies to all companies (Data Controllers) that conduct business with European Union (EU) residents (Data Subjects) and collect, store and process their data. This covers data collected from every device used by residents of the EU. This passes a huge responsibility onto the Data Controllers to ensure compliance with the new regulation.

Although these days most Data Controllers use another company (Data Processor) to process data from end users, the current data protection directive, officially known as Directive 95/46/EC, applies only to Data Controllers; Data Processors have no liabilities toward such directives. The GDPR will bring a big change in this respect, since it requires both Data Controllers and Data Processors to share the scope of the regulation. Noncompliance may result in severe penalties of up to 4 percent of the company’s global revenue, and that doesn’t include the risk and cost of reputation loss.

(More) Power to the People

The primary objectives of the GDPR are to give EU residents control of their personal data and to simplify the regulatory environment for international business by unifying the standard within the EU. Major changes include:

  • A broadened scope of personally identifiable information (PII), which limits what the Data Collectors and Data Processors can collect and process;
  • Restricted access to data collected by Data Controllers and/or Data Processors, which will allow data subjects to know what data is being collected by whom and why;
  • Increased control of cross-border data transfers;
  • The right not to be profiled and the right to object to processing, which now explicitly includes the right to object to profiling;
  • Higher standards that require explicit, not implied, consent;
  • Enhanced right to request the erasure of data; and
  • The right to transfer data to another organization (portability), since data controllers must support the transfer of structured and/or raw data to another organization if requested by the data subject.

Building a GDPR Readiness Plan With UEM

To facilitate the rights to EU residents, Data Controllers and Processors will have to create and implement a GDPR readiness plan before May 25, 2018. Beyond facilitating the rights of Data Subjects outlined above, the GDPR readiness plan should include:

  • Minimal data collection, limited to the bare minimum that is required to perform the processing;
  • Documented data privacy and security practices to define standards for accountability, and demonstrate and maintain compliance;
  • Advanced training and workshops for employees to gain complete understanding of the new regulation;
  • Privacy by design principles to ensure best practices for data governance through its life cycle; and
  • Privacy assessments and gap analysis to evaluate the current state with respect to compliance standards and key areas for process improvement.

With increasing data flowing through smartphones, tablets and laptop devices, expect this regulation to govern those data collection, storage and processing practices. Compared to traditional software, it is relatively easy to assess GDPR compliance for unified endpoint management (UEM) solutions: Since users are employees, their data is already stored in many other applications. But there are quite a few functional complexities to be addressed, including:

  • The possibility of capturing PII from a user’s device, many of which are corporate devices that employees use for personal activities;
  • Segregating corporate data from a variety of personal data such as location, multimedia and app data;
  • Maintaining data security on the device as well as the network.

As an industry-leading UEM solution, MaaS360 is committed to establishing best-in-class security, privacy and transparency measures that are compliant with regulatory requirements and best practices. MaaS360 conforms with the current privacy laws in the EU, has already developed key compliance features and is on track to achieve complete GDPR readiness by the first quarter of 2018.

Preparing for the GDPR With MaaS360

Bounded with the trust and assurance that IBM delivers across the globe, our award-winning solution primarily aims to increase operational efficiency, maximize data security and deliver on digital transformation goals for our customers.

Figure 1: MaaS360 container stores data on the device, not servers.

Below are some key design and performance factors that position MaaS360 as an ideal GDPR-ready solution.

A Containerized Approach

By design, MaaS360 does not store any user data on its servers. Instead, it stores data within a secure container on the device itself, and the MaaS360 cloud service and product teams have no visibility into it.

Figure 2: MaaS360 Unified Endpoint Management, consolidated list view of devices.

Ease of Managing Devices

The MaaS360 UEM system offers a comprehensive, highly secure platform that manages and protects mobile and Internet of Things (IoT) devices, people and identities, and apps and content. The ease of managing all of the above through a single portal without compromising quality is a unique MaaS360 offering.

Figure 3: IBM MaaS360 with Watson offers cognitive unified endpoint management (UEM).

Cognitive Context

IBM MaaS360 Cognitive Analytics Advisor is a cognitive engine designed to improve Data Controllers’ efficiency by providing contextual best practices, productivity improvement opportunities and emerging threat alerts. It is a key differentiator leading innovation within mobility with descriptive, predictive and prescriptive analytics. It helps Data Controllers maintain GDPR compliance with early discovery and improved security, and offers actionable insights and contextual analytics.

Privacy by Design, by Default

MaaS360 limits access to employees who need it to perform their jobs, including IBM admin and support teams. The solution also collects, stores and processes minimal personal data.

Secure Data

MaaS360 encrypts and secures all data at rest and in motion. AES-256 CTR encryption algorithms are used to encrypt all application data. For iOS, mobile application security uses the built-in CommonCrypto FIPS 140-2 compliant encryption. On Android, it uses SQLCipher with the OpenSSL (AES-256) FIPS 140-2 compliant crypto modules. This provides comprehensive encryption to secure the entire database, not just contents within the database.

Logging, Auditing and Reporting

MaaS360 offers extensive logging and audit functionality with reporting. This is very helpful in meeting multiple GDPR requirements.

A Trusted Platform

MaaS360 is delivered from a best-in-class cloud on a mature, trusted platform with Federal Information Security Management Act (FISMA) certification since 2011 and SOC-2 Type II certification since 2007. It is the only FedRAMP-authorized enterprise mobility management (EMM) solution, which entailed an extensive security review of its controls.

Seamless Integration

Our solutions run in the cloud and work seamlessly with customers’ on-premises and cloud systems, reducing the effort needed to deploy, scale, maintain and update. Our true software-as-a-service (SaaS) architecture provides a comprehensive, integrated set of mobile management and security solutions that are designed to work together from the ground up, avoiding the need for costly and complicated integration efforts across point capabilities.

Putting It All Together

These are just some of the many reasons why MaaS360 is the fastest and most cost-effective way to meet new business challenges, support new users, devices, and apps, and comply with upcoming regulations. With these capabilities, aided by other security solutions, IT professionals and security leaders should have no problem achieving GDPR compliance across their environments before the regulation takes effect in May of next year.

Read the white paper: The GDPR is coming — and sooner than you think

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today