Posted on 15th May 2018
by Carl White
Key questions about GDPR and data management answered

Summary
• GDPR increases the complexity, risk and uncertainty of corporate operations
• Robust data management technology will help financial services companies to meet regulatory requirements
• Enterprise Mobile Management (EMM) tools, which enable compliance by default, will become increasingly business critical

What is GDPR?
The EU’s General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It will apply to any organisation, regardless of where it is located, that collects or uses the personal data of people living in Europe.

Fines for non-compliance are significant, with maximums being €20 million or 4% of the offender’s turnover, whichever is highest.

Why do financial services companies need to worry about GDPR?
Apart from the punitive fines, GDPR is a Very Big Deal. It introduces additional layers of complexity, risk and uncertainty into an already challenging corporate landscape.

It requires privacy to be a fundamental consideration throughout a whole process – from design to eventual data deletion – rather than built in as an afterthought.

GDPR focuses on personal data
In particular, GDPR has increased the focus on personal data, defined as anything that could identify an individual. Organisations therefore need to determine what details they hold and why, as well as where this data is stored in view of people having the right to have their data corrected and deleted.

This is potentially an exacting task as multiple copies of data can also be held, for example in backup files and across various applications. As noted in our blog, The age of the mobile workforce has more opportunities, our mobile-driven world has made this even more challenging as sensitive information, such as emails, can no longer be safely contained within the relative safety of the corporate network.

GDPR compliance is not a new concept
However, it’s important to remember that, at its core, GDPR is not a new concept; it is about compliance and making good business practice and risk management legally binding.

The financial services sector is by default scrupulously careful with data. But now more than ever before, they companies need technology to help them meet regulatory requirements.

How can Enterprise Mobility Management (EMM) help with GDPR compliance?
EMM allows people to access corporate data outside the traditional office environment, on remote and mobile devices for example, without exposing the organisation to the risk that it will intercepted by someone who should not have access to it.

In the context of GDPR, it puts a clear, impervious boundary between personal and business data on a device so an organisation cannot inadvertently access personal details. EMM is effective because is designed in a way that closely mirrors how users behave, making it easy for them to act and work in a way that is compliant.

GDPR is focused on data; EMM has been developed from the ground up to keep data safe and compliant. Looked at another way, GDPR moves us closer to a world in which EMM is required to be compliant.

How can AirWatch help financial services companies meet GDPR commitments?
Lanware’s chosen EMM tool is the market-leader, AirWatch from VMware, which allows people to use their own personal device in a corporate environment (this is usually the preferred route to being productive), without compromising compliance. There are more details about the advantages AirWatch offers in our blog post, ‘It’s easy to be mobile, harder to stay secure’.

When it comes to GDPR, this gives us a lot of advantages in terms of the compliant solutions we can offer to our clients. AirWatch tackles some specific requirements.

Data is stored in segregated ‘containers’
AirWatch uses ‘containers’ to segregate the data someone uses in a personal capacity from the business data they need to access in the course of their work. The latter can only be accessed on a remote or mobile device with an additional layer of security such as a PIN, second password or fingerprint.

This means that sensitive business data, safe while it is sat on the corporate server, does not become non-GDPR compliant when it is accessed outside the office. It cannot, for example, be copied and pasted onto a home computer. With AirWatch, email becomes a centrally-managed solution that is compliant.

Policies can be set centrally and pushed out to end point devices to ensure that corporate data retention policies are universally applied, so that ‘stray’ information isn’t left on mobiles and laptops for example.

Data access is tightly controlled
The data accessed on end point devices can also be controlled centrally. For example, AirWatch allows policies to be set that require passwords with specific levels of complexity, or lock the user out if too many false login attempts are made.

In addition access to AirWatch message meta-data is restricted, so information on what was sent, when and to who cannot be shared with other applications.

Granular administrative access can be provided to privacy and general IT settings, allowing different people to handle the area of policy implementation that is relevant to their role. For example separate security and compliance controls can be provided to the responsible teams.

Data in transit is encrypted
Many things are at greater risk when they are being moved around rather than in a safe, controlled environment, and data is no exception. This is exacerbated by the mobile world in which we now operate.

AirWatch provides end-to-end encryption on all data in transit. Documents containing personal details can be accessed on the move or remotely away from the office safe in the knowledge that there is no risk of sensitive information being compromised.

Data can be deleted remotely
Should the worst happen and a device be lost or stolen, AirWatch allows the data they contain to be remotely wiped in line with retention policies or data subject access requests. This is a key requirement for GDPR, as it ensures that personal data cannot get into the wrong hands.

The remote data deletion capacity on the local device also allows personal data to be removed upon staff departure in line with GDPR stipulations.

GDPR is an uncertainty; Lanware can reduce risk with EMM
Although widely discussed, the GDPR and its repercussions are still relatively unknown quantities This makes it all the more critical for financial services companies to be prepared by ensuring they are already operating in a compliant manner.

To find out how EMM is a crucial step on your path to compliance, get in touch.