Do the benefits of BYOD technology outweigh the risks for businesses?

Article Index

The significant rise of smartphone sales has led to a similar increase in employers allowing staff to choose their own smartphones for work and home use and this has opened up a new area of risk. Some employers may not be aware that formal policies and guidance on mobile phone usage are necessary, and that these may need to be reviewed in the light of such schemes. 

A YouGov survey in late 2013 suggested that about half of all UK employees use their own smartphone, tablet PC or other portable device for work purposes. The Information Commissioner has suggested that this can have a number of business benefits, such as improved morale, job efficiency and flexibility. Despite this, in our 24/7 culture, employers may gain increased productivity from their workforce by introducing Bring Your Own Device (BYOD) schemes, but potential data protection pitfalls must be considered and measures put in place to reduce the risk of data being shared with unwanted parties. 

Under the Data Protection Act 1998, organisations must look after the personal data that they hold. When it comes to ensuring filing cabinets are locked and only accessed by authorised personnel, this is relatively straightforward. However, it is not as straightforward in the online world, which comprises a labyrinth of ‘rooms’ containing multiple virtual cabinets, with many entry and exit points. 

Loss, destruction of, or damage to personal data

As a starting point, organisations should take appropriate measures to deal with the accidental loss, destruction of, or damage to, personal data (the seventh data protection principle). This can be a minefield for data controllers when personal data is being processed on devices owned and largely controlled by employees. When allowing employees to use their personal phones for work and private use, it is important that IT departments are able to manage them by blocking certain applications or other downloads and wiping the device if it is lost. As employees will be using their phones to access social media accounts, they also need to be aware that this content should not contravene the terms of the employment relationship and the disciplinary procedures which apply within this contractual relationship. If an employee (or any third party) requests access to an organisation’s IT network using their own device, important data protection issues should also be considered. 

The employer should consider if any personal data could be processed by the portable devices given access to the IT network. There is likely to be some, so the next point is to consider is how easy (or difficult) it is to access such information using the device? The device should be protected by a password or PIN, perhaps the most basic form of security. But what if the employee lends their device to a family member or friend and volunteers the code? Could they still access the personal data you control? Another layer of protection may be needed. It is important to bear in mind that users can remain logged in to apps, accounts and websites between sessions, which could lead to inadvertent access being gained if the device was lost or stolen. The access might still ‘look’ lawful, despite it being unauthorised and therefore spotting it can be difficult.

Data transference 

Secondly, employers will need to consider how data is transferred between the personal device and the organisation’s IT network. For example, could the personal data be accessed unlawfully by a third party if the personal device was connected to an open Wi-Fi network? The data might be transferred using more traditional means such as a USB drive, memory card or a CD. Encrypting the data would be sensible to add a layer of protection. Employers should also consider whether the personal device has a backup facility in a cloud that is also not under the company’s control. 

When using a BYOD scheme, employers must deal with the fact that sometimes they may end up processing personal data from the employee that has nothing to do with the organisation. It is likely that the employee may use their device for work and personal purposes and the two are not always distinct. Employees do have an expectation that their personal lives are private and any monitoring practice needs to be clear. 

Limiting any damage

Finally, and most importantly, if the security of the device has been compromised, employers must act quickly to limit any damage that this may have caused. This can be a particular concern if an employee is leaving the organisation or has reported the device lost or stolen. One way of dealing with this is to ensure that there is a remote wiping facility that can be used in order to clean the device. This typically leaves it in its factory position. However, the major disadvantage for the employee is that it does not differentiate between personal and corporate data. There have been reported stories of employees having their devices wiped with little or no warning, leaving them without their cherished family photographs.

By its very nature, there is no doubt that permitting employees to access your IT network using their own personal devices increases the likelihood of personal data being unlawfully accessed or leaked. Some employers may already be allowing such access without having fully considered the implications. Having a comprehensive BYOD policy should ensure that the organisation and its employees are protected and employees need to know what is expected if they use their own device and what measures might be taken in the event of a security breach. 


Add comment

Security code

Forgotten your password?

I'd like to subscribe
Subscribers only - te law will answer your employment law queries. Find out more about our email support

Now there's more ways to stay in touch

Join Us on Linked in Become our Fan on Facebook Follow us on Twitter