The importance of securing device data ahead of GDPR
Next year will mark 20 years since the UK Data Protection Act was passed. Fast forward to today and it’s clear how much of a different digital era we are in.
Nowadays, companies and organisations across multiple sectors collect, manage, utilise and process vast amounts of data every single day, writes Charles Stewardson, the president of EMEA for FutureDial.
This data, often stored across personal and company devices, is increasingly used for business uses such as targeted advertising. However, the legislation is now catching up with the times. The General Data Protection Regulation (GDPR) due to be implemented EU-wide on 25 May 2018 will build greater protections for EU citizens’ data, with stricter controls and guidelines over how it is stored and used by organisations.
Nonetheless, there’s clearly an elephant in the room that cannot be ignored – Brexit. Despite the UK’s impending exit from the EU, GDPR laws will be transferred into UK legislation once it has departed the EU and remain intact at least until this transition period is complete. So the fact is that it will affect UK businesses far and wide for the foreseeable future. However, even with this imminent challenge, recent research has highlighted that more than a quarter (28%) of organisations believe they don’t need to comply with the legislation.
The reality is far different, as fines are still common even in the current regulatory environment. True Telecom, for example, was recently fined £300,000 for breaking rules around sales techniques. Given that this was for being irresponsible with customers’ personal information, it is not a big leap to forecast the implementation of GDPR seeing these cases become more commonplace. Except a GDPR breach has a much bigger price tag attached than before. In fact, non-compliance could lead to huge fines of €20m, or 4% of global turnover, depending on which figure is the largest. Evidently this could lead to existential repercussions for businesses of any size across Europe; for companies like Google, this could mean a loss running into billions of dollars.
Companies must overcome the challenge of becoming sufficiently compliant with GDPR without sacrificing current and established business models. One problem facing the telecoms industry more than others is how to handle data on devices, whether in the hands of the owner or in the secondhand market with devices that have been taken back for recycling, repair, or maintenance. Managing this complex issue is something that the telecoms industry needs to now.
The challenge of data left on devices
A central pillar of GDPR compliance rests on how a company handles and manages its customer data. In the case of internet service providers for example, they will need to implement strict measures on storing customer information, making sure that they use such information only with the explicit consent of their customers.
Though companies are getting much better at locking-down problem data, the fact is that many people just don’t know how much data is stored on their devices. Whether it’s metadata collected on their mobile phones, or data extracted from communications over a desktop, there is a large reservoir of unknown data being held by corporate hands, and it’s being passed onto third party suppliers and resellers long after a user has finished with their device.
This creates a serious challenge for operators, service providers, IT Integrators and IT support companies offering any form of device trade-in, recycling or management service. The onus is on the carrier to make sure that customer data is stored with the highest standards of security, and that all data is removed from devices that are recycled or traded in.
There is also a vital element of trust as awareness of data lingering on devices raises, which will see companies come under increasing pressure with questions about data disposal and storage. They need to be straight with consumers, giving them sufficient evidence on their data, where it is, and how it is used.
The problem is pronounced for communications service providers (CSPs), who deal with heavy volumes of data traffic transmitted every day. This inherently means that they are responsible for that data’s safety.
CSPs are highly exposed to these problems, as they have vast amounts of customer financial and billing information, as well as people’s personal credentials. As they actively engage in device sales, resales and exchanges, this stockpiling of personal details could quickly prove dangerous under new law.
Indeed, this problem presents multiple challenges with regards to company processes and operations, yet it needn’t cause huge disruption to an established model. It’s all about implementing new solutions to process and remove data, and ensuring that customers are provided with this information in a way in which they can understand, so that everyone’s on the same page.
There are many ways in which companies may put such a solution into effect. One such way that a company can remain on a level pegging with the regulations is by ensuring that systems and employees ask for customer consent at each step, and that they maintain the capability to erase their data footprint entirely, if requested.
Look to the future
Another technology that will soon face this challenge, which makes GDPR even more relevant, is IoT. We are moving beyond the situation where user data is stored on a small number of specific devices, to a new environment where multiple small devices store, share and utilise personal data. As these technologies become ever more prevalent, telecoms companies will have a duty to protect the growing influx of data traffic that pings from the devices.
Ultimately though, the new regulations should be seen as an opportunity rather than a hindrance. Becoming compliant offers companies across the telecoms industry the chance to show their customers how much they care about their personal information, which in the long-term may well lead to improved sales as a result.
In the end, this is all about the appropriate use of data that companies are being trusted with, in any place that data is stored. Users expect data to be protected by their providers, whether it is given for payment or accidentally left on a device and companies need to take that responsibility seriously.