If you have employees who bring their own devices into the workplace and use said devices to deal with company data, you may want to consider a Bring Your Own Device (“BYOD”) policy. Such a policy essentially covers the use of personal mobile phones and computers in the office or for work purposes. Using a personal device for work purposes has some advantages but it could also throw up a number of problems for both employers and employees, which is where the BYOD policy comes into play to help protect and safeguard personal data.
Why use own devices?
Nowadays, most people have access to their own personal laptop or smart phone. Smaller businesses, in particular, may see a benefit in allowing the use of personal devices to save the company from having to purchase devices at their own expense. It allows individuals to use items they are familiar with, as and when convenient to them, although many employees may expect a financial incentive for using their own devices as opposed to company ones.
What security concerns are there?
There are higher security risks with employees using their own devices. The ICO recommends that company issued devices are used but recognises that where personal devices are used, there is a difference between employees using their own device but accessing company software and employees using their own devices and software – the latter, it says carries the highest risk and should be avoided for all but the smallest organisations with an immediate need to work remotely with no other remote working capability.
Security always has to be a priority as employers have data protection and confidentiality obligations. One of the major risks of using a personal device is the employer’s lack of control. A device could be misplaced or lost or shared more widely than necessary (for example with family members on shared devices). The devices may also contain out of date software or inadequate access controls (such as weak passwords). As the devices would also be for personal use, they could be corrupted as a result of internet browsing or downloads which are unrelated to work. It may also leave devices more vulnerable to hackers.
The possible consequences also extend post-employment – many organisations require employees to delete or return sensitive or confidential information they may have acquired during employment. It is much more difficult to ensure this has been done where the device belongs to the individual and not the company.
Smaller businesses, in particular, may see a benefit in allowing the use of personal devices to save the company from having to purchase devices at their own expense
How can a BYOD policy help?
The ICO guidance highlights that having an effective BYOD policy can minimise the risks associated with using personal devices and the protection of company data. Employers must be able to take measures if needed to protect against unauthorised access and data breaches. A policy can help by providing guidance to employees on what is expected from them including requirements to keep software up to date, to encrypt data and devices, to have automatic locking (for example if the device has been inactive for a period of time) and to use strong passwords. It should also be clear how employees can report any potential data breach.
It’s also suggested that business and personal use on the devices should be separated, making it easier to manage and monitor. This can be done via use of different apps. You could also consider the inclusion of a provision to allow sensitive data to be remotely deleted, if necessary, which would reduce the problems associated with lost devices or those belonging to ex-employees.
If you think your organisation would benefit from a BYOD policy, we have an available template on our Employmentbuddy website. If you want further advice or a more personalised policy, our employment and data protection teams would be happy to assist you.
