GDPR has been a hot topic for our customers. Lots of questions have been asked about securing devices against theft, loss and hacks, all of which could result in a data breach. Sighs of relief can be heard when we confirm that we can lock and locate a stolen or hacked device. But there is more to GDPR than just locking and encrypting.
Few companies consider what data is stored on each device and if they have an accurate record of its location and consent. The importance of this didn’t really settle in until a few days ago when I accepted a request to connect with a colleague on Linkedin and was met with the following situation…
After accepting the request, LinkedIn wanted to support me in my mission to grow a great professional circle. It did this by showing my list of ‘contacts’ with whom I am yet to connect with. This wasn’t an ‘opt-in’ process, without choice I was taken to at least two pages of potential new contacts. I could skip the process, but even then I could see the top 20 suggestions on each page. Being human when a familiar face and name popped up, my instinct was to look.
So, who did I see? My blast from the past moment soon turned into arctic-strength GDPR chill. There smiling from their photo boxes were people I had emailed from a Hotmail account which I had owned from the age of 12. I was convinced that these people were not saved in my contacts and after investigating I was correct, nevertheless there they all were. At some point when starting my LinkedIn account (in the hazy days of early 20’s where data consent was not on my agenda) I had agreed to share my email contacts.
The second page of smiling photos turned into something of a GDPR horror story. Here were professional contacts and businesses which I had never knowingly saved data for. They were once stored on my personal device, safely nestled (I thought) in a CRM app. Having left the company, the app is long gone from my device, but low and behold there they all were. Memories of painstakingly deleting unknown names and numbers from my personal contact list (as the app had unknowingly shared them with my device) came flooding back. It seems LinkedIn had joined the party and this data had been shared with this third-party app.
Both scenarios pose potential problems with the implementation of GDPR:
1. The positive opt-in.
When collecting customer data GDPR requires companies to be highly explicit about where the data will be stored and what it will be used for. This is great, it puts the customer in control and builds your reputation and trust when you fulfill the promise. Third-party app gatecrasher: Innocently staff may have shared the contacts of a CRM or equivalent app with their device contacts. When downloading apps such as social media sites many of us mindlessly grant access to our contacts. The consequence is that customers data could be shared in a way which they have not agreed too. It is likely that your company has a responsible use of social media policy and most employees would not add a customer as a Facebook ‘friend’, but what about a professional contact on LinkedIn? Your opt-in policy is not likely to include sharing data with social networking on any level, therefore you have not been transparent about how the data will be stored and shared.
2. The right to be forgotten
All customers have the right to be forgotten. This means that they can ask what data you hold, where it is stored and request its removal. This is something that must be completed within 30 days and free of charge. Third-party app gatecrasher: Are you 100% sure what apps your employees have on their devices? You may think you are, but it may not be that transparent. If an employee has not been issued with a work device, they may well access a company email account through a personal device of their own. Some may be diligent enough to download a CRM application, if this is the case, can you be sure you can fulfil a request to remove data from all locations as promised? Some examples of where data may slip through the net include; a group email address that your employee has set up, contacts being shared and stored within third party apps (see point one) and contacts being manually created and stored. These could pose problems further down the line, should a contact receive correspondence from your employee after the 30 days has passed.
3. Logging your data locations
As part of the GDPR process, you are required to audit where you are holding data. It is important that this audit trail is completed, and you can evidence positive opt-in for all data, in all locations. Third-party app gatecrasher: The message is clear. Apps can share, import and download data onto our devices. This can pose problems for your audit trail. Without a managed solution on your device apps can easily share and download data amongst themselves. Not only will you struggle to fulfill the right to be forgotten, it also means that your audit trail is incomplete. A lost, stolen or hacked device may have breached data which is not included in your records. If data is compromised it should be shared with the ICO within 72 hours, this is a problem if you are not 100% sure what data is where.
There are lots of ways to manage devices and third-party apps without the need to purchase a new fleet of hardware for your team. As you make the final preparations for GDPR, check over your audit. Does it include your mobile devices? Make sure all staff are aware of the implications of storing data on personal devices. Ensure that your social media policy is explicit against sharing data and be sure staff know what this means. Check that you have evidence for a positive opt-in to store data centrally and for all device locations. Be explicit where you are sharing data within the company.