From a compliance perspective, the General Data Protection Regulation (GDPR) is a key focus area in global enterprises. This regulation was first introduced in January 2012 and will go live on May 25, 2018.
Refined by input from the European Council, European Parliament and European Commission, the GDPR, unlike a directive, will be directly applicable in all member states without any legislative requirements by individual governments.
To Whom Does the GDPR Apply?
The GDPR represents the most prominent change in data privacy regulations in the past two decades. Given that we’ve witnessed the fast growth of data storing and processing capabilities during this period, it is the logical next step for updating the privacy and security standards for data governance.
The GDPR applies to all companies (Data Controllers) that conduct business with European Union (EU) residents (Data Subjects) and collect, store and process their data. This covers data collected from every device used by residents of the EU. This passes a huge responsibility onto the Data Controllers to ensure compliance with the new regulation.
Although these days most Data Controllers use another company (Data Processor) to process data from end users, the current data protection directive, officially known as Directive 95/46/EC, applies only to Data Controllers; Data Processors have no liabilities toward such directives. The GDPR will bring a big change in this respect, since it requires both Data Controllers and Data Processors to share the scope of the regulation. Noncompliance may result in severe penalties of up to 4 percent of the company’s global revenue, and that doesn’t include the risk and cost of reputation loss.
(More) Power to the People
The primary objectives of the GDPR are to give EU residents control of their personal data and to simplify the regulatory environment for international business by unifying the standard within the EU. Major changes include:
- A broadened scope of personally identifiable information (PII), which limits what the Data Collectors and Data Processors can collect and process;
- Restricted access to data collected by Data Controllers and/or Data Processors, which will allow data subjects to know what data is being collected by whom and why;
- Increased control of cross-border data transfers;
- The right not to be profiled and the right to object to processing, which now explicitly includes the right to object to profiling;
- Higher standards that require explicit, not implied, consent;
- Enhanced right to request the erasure of data; and
- The right to transfer data to another organization (portability), since data controllers must support the transfer of structured and/or raw data to another organization if requested by the data subject.
Building a GDPR Readiness Plan With UEM
To facilitate the rights to EU residents, Data Controllers and Processors will have to create and implement a GDPR readiness plan before May 25, 2018. Beyond facilitating the rights of Data Subjects outlined above, the GDPR readiness plan should include:
- Minimal data collection, limited to the bare minimum that is required to perform the processing;
- Documented data privacy and security practices to define standards for accountability, and demonstrate and maintain compliance;
- Advanced training and workshops for employees to gain complete understanding of the new regulation;
- Privacy by design principles to ensure best practices for data governance through its life cycle; and
- Privacy assessments and gap analysis to evaluate the current state with respect to compliance standards and key areas for process improvement.
With increasing data flowing through smartphones, tablets and laptop devices, expect this regulation to govern those data collection, storage and processing practices. Compared to traditional software, it is relatively easy to assess GDPR compliance for unified endpoint management (UEM) solutions: Since users are employees, their data is already stored in many other applications. But there are quite a few functional complexities to be addressed, including:
- The possibility of capturing PII from a user’s device, many of which are corporate devices that employees use for personal activities;
- Segregating corporate data from a variety of personal data such as location, multimedia and app data;
- Maintaining data security on the device as well as the network.
As an industry-leading UEM solution, MaaS360 is committed to establishing best-in-class security, privacy and transparency measures that are compliant with regulatory requirements and best practices. MaaS360 conforms with the current privacy laws in the EU, has already developed key compliance features and is on track to achieve complete GDPR readiness by the first quarter of 2018.
Preparing for the GDPR With MaaS360
Bounded with the trust and assurance that IBM delivers across the globe, our award-winning solution primarily aims to increase operational efficiency, maximize data security and deliver on digital transformation goals for our customers.
Figure 1: MaaS360 container stores data on the device, not servers.
Below are some key design and performance factors that position MaaS360 as an ideal GDPR-ready solution.
A Containerized Approach
By design, MaaS360 does not store any user data on its servers. Instead, it stores data within a secure container on the device itself, and the MaaS360 cloud service and product teams have no visibility into it.
Ease of Managing Devices
The MaaS360 UEM system offers a comprehensive, highly secure platform that manages and protects mobile and Internet of Things (IoT) devices, people and identities, and apps and content. The ease of managing all of the above through a single portal without compromising quality is a unique MaaS360 offering.
Figure 3: IBM MaaS360 with Watson offers cognitive unified endpoint management (UEM).
IBM MaaS360 Cognitive Analytics Advisor is a cognitive engine designed to improve Data Controllers’ efficiency by providing contextual best practices, productivity improvement opportunities and emerging threat alerts. It is a key differentiator leading innovation within mobility with descriptive, predictive and prescriptive analytics. It helps Data Controllers maintain GDPR compliance with early discovery and improved security, and offers actionable insights and contextual analytics.
Privacy by Design, by Default
MaaS360 limits access to employees who need it to perform their jobs, including IBM admin and support teams. The solution also collects, stores and processes minimal personal data.
MaaS360 encrypts and secures all data at rest and in motion. AES-256 CTR encryption algorithms are used to encrypt all application data. For iOS, mobile application security uses the built-in CommonCrypto FIPS 140-2 compliant encryption. On Android, it uses SQLCipher with the OpenSSL (AES-256) FIPS 140-2 compliant crypto modules. This provides comprehensive encryption to secure the entire database, not just contents within the database.
Logging, Auditing and Reporting
MaaS360 offers extensive logging and audit functionality with reporting. This is very helpful in meeting multiple GDPR requirements.
A Trusted Platform
MaaS360 is delivered from a best-in-class cloud on a mature, trusted platform with Federal Information Security Management Act (FISMA) certification since 2011 and SOC-2 Type II certification since 2007. It is the only FedRAMP-authorized enterprise mobility management (EMM) solution, which entailed an extensive security review of its controls.
Our solutions run in the cloud and work seamlessly with customers’ on-premises and cloud systems, reducing the effort needed to deploy, scale, maintain and update. Our true software-as-a-service (SaaS) architecture provides a comprehensive, integrated set of mobile management and security solutions that are designed to work together from the ground up, avoiding the need for costly and complicated integration efforts across point capabilities.
Putting It All Together
These are just some of the many reasons why MaaS360 is the fastest and most cost-effective way to meet new business challenges, support new users, devices, and apps, and comply with upcoming regulations. With these capabilities, aided by other security solutions, IT professionals and security leaders should have no problem achieving GDPR compliance across their environments before the regulation takes effect in May of next year.