Date: 23 August 2018 We've been talking to Paul Mather - Divisional Operations Director, about the risk to your business with mobile devices. Paul is all about the data and, more specifically, business and data protection. Here's what you need to know. GDPR (the General Data Protection Regulation) GDPR is enforceable from May 2018 and it talks a lot about data protection by design. Businesses must be accountable, ensuring that data protection is at the forefront of everything they do. As a business you're obliged to adequately protect the data you hold, yet many will approach this in different ways. A cyber report released at the end of last year stated that more than 90% of cyber-attacks tried to take control of connected devices in the workplace. Look around your office at the many devices people have. How many risks does this present? Data Protection and Recruitment Bring your own device. It's worrying stuff, but let’s look at just a corner of the recruitment industry as an example. I often hear agency owners sharing that their consultants could ring fence “highly placeable” candidate CVs in their email inbox rather than putting them on a centralised system or recruitment database. Aside from the obvious business impact of this, the person (i.e. the data subject) in question has sent their CV to your agency. That makes you (the agency) responsible for securing that data. As I said, look around your office.... Does your agency let consultants 'Bring Your Own Device' (BYOD) into the work environment? They most likely hook up their phone or tablet to your wifi and connect to their work emails. The candidate’s CV in the example we just mentioned which, remember, your agency is responsible for, is now potentially out in the wild and outside the agency’s direct control. Now consider if that consultant's unprotected phone with its cached emails is stolen….this could now be considered a breach. Data and Recruitment We're using recruitment as an example industry, but the above scenario is typical for any industry. So, what should you do about it? Should you ban all devices from the workplace? Maybe. It's a debate that sparks many opinions. Firstly, it can be shown that overall productivity and customer satisfaction is boosted if staff have access to work functions on a mobile device. Add “it’s great for my work/life balance" into the mix. Some employees like to access emails on their commute to avoid working late. On the flip side, it can be argued that staff shouldn’t have to work outside their core hours, nor feel obliged to. Both arguments have merit but, either way, if your business allows BYOD it should have a BYOD policy. As such, that policy should strongly consider the security implications of such practices. To give you an idea, across ISV and the Dillistone group of companies, we’ve been looking at BYOD as part of our internal GDPR compliance process. All our non-BYOD portable systems are encrypted in conjunction with multi layered security. We are looking at options to enact systems whereby in order to use a BYOD it has to meet certain criteria such as encryption, system locks with appropriate password strength and remote wipe facilities. Device access will be switched off for users by default, unless there is a proven business case for it to be turned on (which will, of course, be audited). There are, unfortunately, no easy answers and it will be a very fine line between appropriate levels of protection for the data you hold and not excessively holding back the productivity of your organisation.