Mobile Device Management (MDM) and the EU-GDPR – What needs to be considered?

For many small and medium-sized enterprises (SMEs), the EU GDPR, the General Data Protection Regulation, represents a legal challenge. 

What is the EU-DSGVO?

GDPR stands for the General Data Protection Regulation. This is a law that applies to all EU member states and came into force in 2019. From the DSGVO regulation, clear rules emerge in the handling of personal data. This includes the areas of collection, storage and use of data.

What data is affected?

The GDPR guidelines regulate the handling of personal data that a company collects. Data is personal if it is not collected completely anonymously and is assigned to a specific person, such as cookie tracking data that records the user and purchasing behavior of a specific person based on their IP address.

Areas in the company that come into contact with personal data:

• Order management
• Personnel management
• Payment processing
• payroll accounting
• customer management
• Marketing for customer acquisition and retention

How does the EU GDPR affect the use of private devices in the company?

Employees frequently use their private end devices even during work with “Bring Your Own Device (BYOD)”. Almost without exception, personal data is collected and processed in this context. It is therefore essential that the company can ensure that this data is handled in compliance with the GDPR.

By ensuring the separation of private and business data, for example, DSGVO-compliant use of messenger services such as WhatsApp can be guaranteed.

What data protection requirements arise from the use of mobile devices

It is important that a company can always ensure that it has an overview of and direct access to personal data. This can ensure that data subjects can be provided with information about their data.

Employees, customers and other stakeholders have a right to data deletion of their personal data stored in the company. The company must therefore always be able to delete this personal data.

The company must be able to collect and process sensitive data securely and keep transparent the measures taken to ensure that security.

How can I enforce and comply with the GDPR in my company?

To ensure that the company can comply with the GDPR without any problems, even if the employees use a private or a company-owned device, the company should use a mobile device management solution to comply with GDPR regulations and to monitor compliance in a simple and straightforward manner.

In concrete terms, this means that compliance with the GDPR guidelines can be facilitated, but not guaranteed, by appropriate default settings in the MDM software.

Clear separation between private and business data with container solution

It is difficult to separate private and business data when, for example, apps and applications are used for both sides. This is especially true when the bring-your-own-device model means that the private cell phone is used in the company.

An MDM system provides container solutions that create two completely isolated areas on a device, between which there is no data exchange. Most containers use AES encryption, which prevents external access to the container.

Through containerization, targeted deletions can be made remotely by an IT administrator, for example, in the event that an employee no longer works at the company.

IT departments help with mobile device management

An external IT department can help manage employee smartphones and tablets. A compliance regulation defines how networks are accessed. This is implemented using business containers on the devices. The MDM solution manages and monitors things via the cloud.

The IT department is also setting up a system in which all private e-mails, contacts, calendar data and apps are stored in a separate, encrypted container. This prevents access to sensitive employee data.

How can employees be granted secure access to the company network?

Mobile device management or enterprise mobility management can be used to provide secure access to networks. This results in secure surfing in the network and the secure use of interfaces. Thanks to MDM, devices can also be rendered unusable by blocking or deleting data in the event of misuse or theft.

Default settings can be made, such as what minimum password length must be used. Settings for hard disk encryption can be configured. In addition, the way in which interfaces or user interfaces are used can be defined to ensure security in the company.

How does a MDM solution help comply with GDPR and data protection policies?

Through the default settings made in an MDM solution for a company, companies can protect themselves against breaches of the GDPR.

Employee device security can be enhanced by pre-installing an antivirus or anti-malware app. Certain apps with security vulnerabilities can be banned. IT administrators can prescribe complicated passwords with many characters in the MDM system. It is also possible to define when a computer is automatically logged off.

MDM can detect the so-called rooting (android) or jailbreaking (iOS) of an operating system on an end device, which leads to major security vulnerabilities.

The use of a mobile device management solution therefore prevents the mixing of private and business data. By clearly separating this data, a breach of the DSGVO and internal company compliance can be prevented.