'Bring your own device' (BYOD)
With the increase in use of mobile devices and the rise in remote and flexible working, there is a growing demand by employees to use their own personal devices in the workplace for business tasks. Commonly referred to as ‘bring your own device’ (BYOD), staff could potentially access and store corporate information alongside their own on their personal smart phone or tablet computer. This approach presents a number of issues regarding the protection of personal data and confidential information. In response, the Centre for the Protection of National Infrastructure (CESG) has produced summary guidance for employers on how to establish an effective BYOD policy (which can be found here - https://www.gov.uk/government/publications/byod-guidance-executive-summary/byod-guidance-executive-summary#introduction).
Under data protection law, it is up to the data controller i.e. the employer to protect personal data by taking ‘appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’ This is proven difficult with BYOD since the employee is the primary owner and user of the device, and is responsible for its maintenance and support. This leaves the employer with less control over devices despite being the one responsible for data protection.
It is for this reason that employers are encouraged to adopt their own BYOD policy ensuring that employees can enjoy the flexibility of using their own devices for work without comprising the protection of personal information. The CESG has provided a number of starting points to consider when creating a policy:
The side effects of a bad policy – creating a policy that is too restrictive on how employees can use devices may encourage them to undermine the policy altogether and find ways around it, thereby increasing security risk. It is more effective to incorporate new policy specifically related to BYOD into the existing security and data protection policy so that the employer satisfies its obligations under data protection law.
- Training – employees should be provided with necessary training and guidance to help them understand their responsibilities when using their own devices. This is particularly important if devices are used by the employee’s family members and third parties (e.g. for maintenance purposes). The employee should be aware of how to keep personal data and confidential information for work purposes private to other users.
- Plan ahead – employers should prepare as much as possible for security incidents so they are not caught off guard should a device become lost, stolen or compromised. In that scenario, the employer must act quickly to minimise damage as much as possible and prevent personal data and confidential information falling into the wrong hands.
- Consider alternatives – if employers do not wish to adopt a BYOD policy, they may want to consider alternative solutions such as a ‘choose your own device’ policy where employees have a choice of approved devices which are purchased and primarily controlled by the employer. Another alternative would be to allow employees to use company owned devices for personal use, although this carries large security risks from personal applications sharing business data stored on the device.
For further information on the issues raised in this article, please contact a member of the Spencer Wyatt team on 020 7925 8080 or by email at firstname.lastname@example.org.