Despite a seemingly complete overhaul of data security and privacy as the General Data Protection Regulation rolled out, many fall short when it comes to screening for compliance. How do you protect your organization, your clients and your customers?
Any organization that handles the data of individuals in Europe, including any U.S-based company that does business there, must now comply with the General Data Protection Regulation (GDPR).
Specifically, GDPR dictates that individuals have the right to be told what personal data of theirs is captured and how it’s used. They also have the right to restrict processing of that data and to have it deleted when they ask.
That’s a challenge for any organization to deliver on. But the challenge doesn’t end there. The ever-increasing use of mobile devices and apps in the workplace puts organizations at a rapidly increasing risk of running afoul of GDPR. This might happen through a malicious attack on a company, but it also might happen when legitimate mobile apps over-collect information, leak data or expose the private information of customers to hackers.
To prevent this, organizations must be able to protect the data and the personally identifiable information (PII) of customers at all times. Given the steep penalties associated with GDPR—as much as 4 percent of global annual revenue, depending on the nature of the offense—companies must take GDPR compliance very seriously.
Are existing security tools up to the task? No. Many fall short when it comes to screening for compliance with GDPR. These tools are good at collecting all the data necessary to run security checks. But many do not examine that data in such a way that they are also able to identify compliance issues in addition to security issues. And that’s a problem. We’re looking at the same data but need to view it through a different lens.
The good news is that it is possible to take data that has traditionally been collected and used for the security evaluation of mobile apps and apply it to gain insight to whether those same apps are in compliance with GDPR.
Let’s look at few examples. Many app developers rely on third-party SDKs and software libraries to build their apps and that means they usually don’t fully understand what data is being collected by the apps and where it’s going. This, in turn, makes it harder to secure data and protect it properly. So, on the security side, it’s important to inspect apps for vulnerable libraries that could potentially expose users and their devices to hackers.
On the compliance side, your approach must be different. To comply with regulations like GDPR, you should be examining those same software libraries not for just bugs or errors in coding that may open them to security threats, but also to see if they include functionalities that may be out of compliance. For example, advertising libraries that collect invasive information from the device’s sensors or user accounts, like the location of the user, may not have a way to opt-out or delete the user’s information. This would be a problem for GDPR. Likewise, a text messaging service might present a compliance risk under MIFID II because it is sends outbound communications that can’t be tracked centrally.
Another example is apps that ask for more permissions than they should. There are a lot of apps out there with less-than-honorable intent. For example, an innocuous-looking flashlight app might immediately ask to access your calendar and address book. This should be a flashing red alert from a security perspective. When an app requests permissions that have nothing to do with its core purpose, this indicates that the app is in fact doing far more on your phone than it claims.
From a GDPR compliance perspective, enterprises need to look at all mobile apps to understand which of the apps’ data and device requests may violate regulatory or compliance policies. For example, if an app can access the camera, it could also gather photos. Or if it can access the process of placing calls, it could collect call recordings. These are just two cases of “innocent” apps accessing personal and corporate information that is required to be protected under GDPR. Security tools’ dynamic analysis can potentially see this happening, but they may simply not be paying attention to it and alerting on it.
A third example is the encryption of data, especially data in transit. On the security side, you want to ensure that when your employees are browsing the web, they’re using the more secure HTTPS extension rather than just plain HTTP whenever possible. On the compliance side, regulators might not care that employees are viewing general websites over an unencrypted HTTP connection, but they do care if any PII is traveling over that unencrypted connection.
The bottom line is that organizations need mobile security solutions that do much more than identify threat risks. They need solutions that also give them visibility into regulatory risks when they occur and that provide visibility into exactly which mobile apps and devices put the enterprise at risk for GDPR noncompliance.
That’s the kind of protection you need to meet GDPR compliance with confidence and avoid costly fines.