The GDPR enforcement date is here and we’re all getting a deluge of emails asking if we still want to be contacted by organisations we’d forgotten we’d ever signed up to!

On recent courses we’ve been asked questions around the GDPR implications of the use of mobile phones. Here are a few things to bear in mind when writing your firm’s GDPR and IT policies.

Mobile devices are a big risk!

Mobile phones are inherently risky in terms of data security. Reportedly 90 mobile phones are left on the Tube network every day! Staff training needs to include simple reminders about keeping devices secure and safe. A lost mobile device may class as a reportable breach. Key considerations are:

  • All devices should be password protected as a minimum and encryption is advisable – penalties have been served for the loss of data from unsecured mobile devices where they are not.
  • Procedures are required to reduce threats from malicious apps, always-on connectivity, apps which access and send data to servers outside of the EU, devices being connected to unsecured, public networks and the loss or theft of storage media within the device, such as SD cards.

Emails on mobile phones

Emails on mobile phones are potentially a risk when it comes to personal data. Email attachments could potentially contain sensitive personal information, so consideration should be given to what is allowed to be transferred via email. When you include the additional hazards inherent with mobile devices and the potential for their loss or interception the risks are much higher.

Bring your own device (BYOD)

Staff using their own phones for work (BYODs) is very common – increasing flexibility of working but keeping costs down for the firm. But they also bring a raft of risks. Key steps are:

  • Consider having the ability, and the right, to wipe data from a lost device. Without the use of endpoint management software, which can compartmentalise data into business and personal, a remote wipe would delete all of the user’s personal content.
  • Give clear guidelines on the types of personal data which can be stored on particular devices and which cannot.
  • Consider setting up a separate wi-fi network in the office for personal devices to connect to rather than the main corporate network.
  • Ensure that different apps are used for personal and business use.

You also need to consider the reverse – if you are monitoring the usage of BYODs are you compromising the user’s rights and processing unnecessary information about them? Bear in mind the ICO’s Employment Practices Code.

The ICO have some good, practical guidance on BYODs at https://ico.org.uk/media/for-organisations/documents/1563/ico_bring_your_own_device_byod_guidance.pdf . Although this currently refers to the DPA 1998, the fundamental principles are the same.

Charging risks!

Even for non-business use personal devices there are considerations. Are your staff allowed to charge their personal mobile phones (which are not used for business at all) by plugging them into their laptops? This poses a risk of phones without anti-virus or malware protection infecting your network. Consider procedures in this area also.

This topic is a minefield – and that’s even without thinking about other mobile storage devices. But it’s one which you must negotiate…….and with the enforcement regime taking effect from 25 May, it has to be a priority!

Liz Hollingsworth and Peter Herbert

May 2018