BYOD (Bring Your Own Device) is a relatively recent phenomena and refers to the practice of employees using their own electronic devices such as smart phones, laptops and tables for work purposes, often connected to a corporate network. Some businesses actively encourage BYOD since there is evidence to suggest that there are benefits to be gained such as increased worker productivity and morale. Other organisations find themselves in the situation where BYOD happens but it is done so without their knowledge and/or any input from the IT staff.
For small businesses and start-ups, where access to email and business information around the clock can be vital, BYOD can be an attractive approach. Regardless of how BYOD enters an organisation it presents technical, security and legal issues that are best considered before a data security or technical problem arises.
Some of the IT and legal issues that could arise include:
• Support of many different devices – unless the business has a clear policy of which devices can be used, the IT department may be faced with having to provide some level of support for a much wider range of devices and operating systems than they would normally. While a business is unlikely to be able to provide general support for a wide range of devices, they will be faced with dealing with any connectivity issues when BYOD devices are used to access a corporate network.
• Security risks – not only are BYOD devices used outside the physical business premises, they also remain the property of the employee should the employee resign. Company data and applications may still be held on a BYOD device after an employee leaves. This is not only a commercial problem but also a legal one since the company must comply with its data protection obligations.
• Limited control over apps – since BYOD devices are used for both personal and business functions, they are likely to have a wide range of apps installed, some of which may present security risks for a business e.g. file sharing. In addition, businesses may be keen to ensure that applications such as movie streaming are not used on the corporate network.
• Infrastructure issues – the sheer number of additional devices and their differing operating speeds may present difficult challenges for the IT team.
BYOD and data protection
The data protection issues that arise from BYOD are an extension of those raised by remote working since, with BYOD, the physical device is neither owned nor controlled by the business. Apart from the risk of the loss or theft of commercially sensitive data, a UK employer has a legal responsibility under the Data Protection Act 1998 (DPA) to control and protect the personal data it holds.
The 7th principle of the DPA says that a data controller must have appropriate security in place to prevent the personal data it holds being accidently or deliberately compromised i.e. the company is still responsible for the security of data even if the data is held on a device over which it does not have direct control.
There are other principles of the DPA that come into play if copies of work documents/data are held on personal devices, namely: Principle 4 (all copies of data need to be accurate and kept up-to-date), Principle 5 (any copies must be kept only in line with appropriate data retention schedules) and Principle 6 (any copies of data maybe need to be considered as part of the response to a subject data request).
So, there is quite a lot to consider if a business is to implement BYOD effectively and legally. Here are some top tips offered by the Information Commissioner’s Office (ICO), to help an organisation meet its data protection obligations in a BYOD environment:
• Use a strong password to secure devices;
• Use encryption to store data on the device securely;
• Ensure that access to the device is locked or data is automatically deleted if an incorrect password is input too many times;
• Ensure that the device automatically locks if inactive for a period of time;
• Make sure users know exactly which data might be automatically or remotely deleted and under which circumstances; and
• Maintain a clear separation between the personal data processed on behalf of the data controller and that processed for the device owner’s own purposes, for example, by using different apps for business and personal use;
• Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all;
• Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft;
• Make sure you have a process in place for quickly and effectively revoking access a device or user might have in event of a reported loss or theft;
• Limit the choice of devices to those which you have assessed as providing an appropriate level of security for the personal data being processed; and
• Provide guidance to users about the risks to downloading untrusted or unverified apps.
There is further information available on the risks of and suitable controls for a BYOD environment in the Bring Your Own Device (BYOD) document from the ICO.
The role of a BYOD Policy
A company’s approach to allowing the use of personal devices for work should be documented in a BYOD Policy that is clearly communicated to all employees, regularly audited with on-going monitoring of compliance.
A formal BYOD policy is essential for a business encouraging the use of personal devices but businesses wishing to discourage or limit BYOD may also find a formal policy useful. Employees may not be so keen to use their expensive, leading-edge devices at work once they realise that their employer reserves the right to wipe clean the device’s memory should they leave employment and/or upgrade, sell or dispose of the device.
A written BYOD policy can only be prepared once a business has considered and decided their response to the particular challenges BYOD presents, such as those discussed in this article. The ICO provides some tips on what to include in a BYOD Policy; another approach is to use a pre-drafted template such as the Clickdocs BYOD Policy which can also act as a prompt to ensure you have considered all relevant aspects.
About the author:
Joanne Tucker is the Technical Director of Clickdocs legal documents, one of the UK’s leading providers of legal document templates for businesses and consumers.
Image courtesy of pakorn at FreeDigitalPhotos.net