'Bring your own device' what you should know
With organisations looking for more ways to save costs and increase productivity, coupled with acknowledging the growing popularity of smart phone and tablet usage, many employers have recognised the benefits of allowing their staff to use their own personal laptops and other electronic devices for work purposes. Known as ‘Bring Your Own Device’ (BYOD) – a number of organisations are demonstrating their flexibility in additional ways by allowing their employees and contractors to connect to corporate resources, and work on and access company related data, including emails, on their own personal electronic devices.
If implemented correctly, companies that allow BYOD can enjoy numerous benefits, not least to be seen as a flexible employer, boosting employee satisfaction and leading to the attraction and retention of the strongest talent in the market. As with any such approach however, companies would benefit from considering potential risks and ensuring they have the right policies and guidelines in place to ensure confidentiality is maintained, data is protected and their reputation will not be damaged. We will briefly review a few of the key issues employers should be aware of, and then discuss some practical suggestions to ensure all can receive the maximum benefit from a BYOD policy in the workplace.
Key Issues around BYOD
1. Data breach, data loss, and non-compliance risks
In order to comply with the 1998 Data Protection Act (DPA), organisations must keep personal data secure and take suitable measures preventing “unauthorised or unlawful processing of personal data” and “accidental loss or destruction of or damage to personal data.”
An employee using a personal electronic device for work purposes, however, is likely to hold a combination of personal and company information on such a device, for example, within their contacts. If this piece of equipment is lost or stolen, or if an employee decides to leave their employment, an organisation is potentially exposed to unauthorised persons having access to company data. While it is possible to remotely wipe confidential data, this is likely to entail an organisation accessing the personal data of the employee too. A company would be required to gain the employee’s prior consent to process such personal data, or demonstrate that it is in the firm’s lawful interests to do so.
Failure to ensure sufficient security measures are in place would place an organisation in breach of its data protection responsibilities and put the company at risk of a fine, rather than the employee directly at fault.
2. Employee/contractor privacy issues
Even if employees have agreed to a clause within their employment contract that allows for extensive removal of information remotely, they may be unaware of the extent of such measures (for example, the erasing of an entire iTunes library or photo album), with employee relations likely to be negatively impacted if such action was required. Firms should also be aware that an employee can withdraw their consent to processing their personal data at any time under the DPA; they are also entitled to complain to the Information Commissioner’s Office (ICO) if they wish.
It is therefore recommended that organisations are very clear about any conditions their employees may find objectionable from the outset, aiming to manage their expectations. Employees should be fully aware of the possibility of their employer having access to personal data if this is mixed with company data, and be encouraged to keep the two separate wherever possible. Employers in turn should seek to minimise their access to personal data in the event of a security breach.
Privacy issues also need to be taken into account. Companies will need to consider if and how they will monitor the activities of their employees when using personal devices. It is likely that it would not be appropriate to use the same types of monitoring in this situation, as they might do for an employee who is using a device that is company owned and issued. Regardless of whether monitoring takes place or not, employees should be made fully aware of the company’s privacy policies in this context. If monitoring does take place, it should be designed in a manner that would minimise exposure to the employee’s personal and private information.
3. Access to social media sites
When personal mobile devices are used by employees, organisations should recognise they are limited in being able to place restrictions on access to social media sites such as Facebook and Twitter. It is advisable that a social media policy is implemented and that this should include details on what authorisation is allowed for an employee using their mobile device for work purposes, during working and non-working hours.
4. Software and emails
Other potential issues employers should be aware of include ensuring software licensing rules are applied if installed on a personal device for work purposes, being aware that an employee could install illegal software on their device (placing the company vicariously at risk), the possibility of employees sending emails work emails from their personal accounts by mistake, or sending emails that do not include the appropriate email footers and legal disclaimers.
What measures can companies take?
1) Onboarding – it is critical to ensure that any personal device to be used for business purposes is registered. This ensures users can securely access corporate data, their devices are identified and IT is able to set appropriate controls in place for network and data access. Employees can also be equipped with the appropriate information and awareness to ensure their device and company information is kept secure at all times.
2) Protection against data loss – IT should determine and actively manage which corporate resources can be accessed via employee-owned personal devices and ensure sufficient security measures are in place such as VPN, anti-virus software, firewall activation or encryption. If security is at risk, there are applications on the market that can allow company data to be wiped without removing personal data.
3) Implementation of a BYOD policy - any company that allows employees to use personal electronic devices for work purposes must ensure they are completely transparent regarding the relevant risks and implications. Such a policy should ideally detail the ownership and control of company information, data security, privacy expectations, processes for lost or stolen devices, procedures for departing employees and consequences for any policy breaches.
4) Evaluation of current security policies – all relevant security policies (such as password, remote working, privacy etc), should be reviewed and updated where necessary to ensure legal and liability risk is reduced. Data and contact ownership must be established, along with the process for accessing and removing company data from a personal device if the employment is terminated.
5) Adequate information for employees – to manage expectations and ensure a BYOD policy works to the advantage of both parties, employers should ensure employees are fully aware of their obligations and the procedures in place to protect both company data and personal information. A higher awareness of the implications of carrying out work on a personal device will ensure not only security is maintained, but employee relations can also remain in tact.
In conclusion, while we have highlighted a number of issues that employers should be aware of, it would be wrong to dismiss the benefits of utilising BYOD within the workplace. In a world that is becoming increasingly dependent on mobile technology, employers who remain at the forefront of such developments will be viewed positively by their talent and enjoy numerous other advantages, as detailed at the outset of our discussion. It is imperative however, that employers are able to effectively manage any potential issues and security threats by ensuring adequate policies and controls are in place, and that employees are fully aware of their responsibilities and rights when using their own devices for work purposes.