It is no surprise that many employees now want to use their own personal mobile devices at work rather than their employers’ equipment. There are clear benefits to employees and the business in which they work if a decision is taken to allow employees to do so.
It is an easy way to improve employee morale and job satisfaction by allowing increased flexibility and efficiency in working practices. It also reduces business costs because employees invest in IT!
But allowing BYOD is not risk free. Businesses need advice on how to implement the right policies and procedures which, if not correctly dealt with, are capable of having a serious impact on the business.
A key characteristic of BYOD is that personal and business data are stored on the same device. This raises potential risks under the Data Protection Act for the business as the controller of the personal data. The employer cannot avoid its legal obligations under the Act because the personal data is not being stored on its systems.
What steps can business take to mitigate against these risks?
First, businesses should implement security measures to prevent unauthorized or unlawful access to the data. As a minimum, users must use a strong password to protect business data. Ideally, access to devices should be locked and data automatically deleted if an incorrect password is used too many times. The business should ensure that its employees understand what business data can and cannot be stored on a personal device.
Second, the business must be mindful of the personal usage of the device. Therefore, employees’ own personal data, including details of their personal lives, could inadvertently end up on company systems, the result of backup policies or misfiling.
Third, protecting data in the event of loss or theft is a key consideration. Data is only as secure as the security measures in place on that device. Most personal devices are not encrypted and so easy for any person with physical access to the device to access the information stored on it. Many personal devices store copies of data in consumer cloud services such as Apple’s iCloud or Microsoft’s OneDrive (formerly SkyDrive) automatically. Such data is then only as secure as the employee’s password for those services.
Fourth, require employees to submit their devices to security configuration by the IT team, or to use a product to enforce separation of business and personal data on the device. However, it is important to obtain employees’ consent before deploying these measures.
Fifth, ensure that if employees’ leave, the business is able to maintain confidentiality by ensuring that business information can be wiped from the employees’ systems quickly and effectively. Registering with a locate and wipe facility is one way to do this.
How best to protect your business?
The most effective way to address these issues is to introduce a well drafted, clear and up to date BYOD policy that is effectively communicated to employees. Involve IT, HR and legal professionals when drafting any policy to ensure all relevant issues are covered. Employment contracts should also be reviewed.
If your business does not already have a policy dealing with these issues, a good New Year’s resolution is to take steps to put a policy in place.