Businesses have been urged to set up formal agreements with employees before they allow them to use their own laptops and mobile devices at work.
Companies are rapidly moving towards bring-your-own-device (BYOD) policies that encourage employees to use their own devices at work.
But they risk falling foul of privacy regulations if they make any changes to an employee's device, without their permission, research by analyst group Ovum has revealed.
“In certain markets there are specific processes you need to go through to be compliant," said Ovum analyst Adrian Drury in an interview with Computer Weekly. "In Germany, if you want to deploy bring-your-own-device, you not only have to have consent of the employee, but the corporate works council.”
Businesses have a legal duty to protect corporate information. This means that they may need to install security certificates, tracking software, and software to wipe data on their employees' devices, if they are used to access corporate data.
A guide to embracing IT consumerisation
“In the UK, if you lose any customer data, it’s the company that will be liable for a fine, not the individual. It’s a dual blow for businesses – they have to protect data as well as not invading employees' privacy,” said another Ovum analyst, Richard Absalom.
The analyst group advised businesses to work with employees to draw up a BYOD policy that makes it clear what access the corporate IT department will have to personal devices and how employees are expected to handle company data.
“It needs to be a compromise between employee and employer rights. The employee is allowing the company to access their device and wipe it if necessary. But the employer is giving up a certain amount of control, by allowing staff to use their own devices,” said Drury.
Read more on BYOD planning and policies
- BYOD not popular with US CIOs
- IT managers in ‘true denial’ of BYOD
- How do we manage the BYOD boom, at the technical end?
- Alleviating BYOD security issues using private cloud
- Infosec 2012: BYOD great for infosecurity profession, says IT head
Employers need to make it very clear what software they introduce on employees' devices, and must ask their employees' permission before installing it.
“Across every region, you have to get explicit and fully informed consent. You have to tell staff exactly what’s on their device, what act will be monitored, and whether data will be wiped if the device is lost,” said Drury.
Privacy regulations vary considerably from country to country, an analysis by Ovum shows. This can make it difficult for multinationals to introduce a single bring-your-own-device policy to cover multiple countries.
In practice, multinationals are tailoring their BYOD policies to meet the specific legal requirements of each country, rather than introducing a single group-wide policy. “If you are a CIO of a multinational, you have to understand the differences in different markets. It may be that you support BYOD in one market, but not another,” said Drury.