Businesses looking to implement a bring-your-own-device (BYOD) program must be aware that the parameters of what they can and cannot do with a mobile device management (MDM) platform are governed by local data privacy legislation, which inconveniently varies from market to market.
No business should look to deploy a BYOD policy until they understand the implications of monitoring an employee-owned device, the requirement to obtain consent from the employee, and the risk it poses if this consent is not achieved either at the point of MDM solution deployment or at the point of a data loss event.
This is particularly challenging for multinationals hoping to implement a common, business-wide policy.
Ovum’s report, “International Data Privacy Legislation Review: A Guide for BYOD Policies“, maps how data privacy law differs in seven different countries (the US, UK, Germany, China, Australia, France, and Spain) and the EU, specific implications for what level of monitoring and device-level control is permissible by an employer in these markets, and how consent must be sought from an employee.
The security issues around BYOD can largely be solved
BYOD multiplies the number of networks, applications, and end points through which data is accessed. These are the three main points at which data is vulnerable; so, if left unmanaged, BYOD creates a huge data security risk. The good news for CIOs is that there are a whole range of vendors offering solutions that make it secure to access corporate data from personally owned devices.
Download in-depth resources and reports from Ovum
Across a range of mobile OSs, including iOS and Android, MDM vendors provide such remote capabilities as enrolment and configuration of devices on the corporate network, enforcing PIN policies, locking and wiping lost or compromised devices, distributing and managing applications, managing documents (e.g. blocking copy/paste and local storage), and tracking device location and activity.
Properly applied, these features make using a personal device secure enough for corporate purposes. The question is whether employees would want or agree to have such controls placed on their own devices.
Monitoring and accessing data and applications on a personally owned device raises legal concerns around data privacy
MDM features such as device activity monitoring, tracking, and remote lock & wipe necessarily involve a certain amount of access and processing of personal data and applications on an employee’s device. This raises concerns around individuals’ data privacy rights.
Legislation differs from country to country, but one stipulation that all regions covered by Ovum’s research have in common is that individuals must give explicit and fully-informed consent for any organization to access and process their personal data.
Employee consent is required should a business wish to install a MDM application on their device. If this consent is not given, or if the employee is not made fully aware of the implications (e.g. that their personal data might be wiped if the device is lost or the PIN entered incorrectly too many times), the employer is likely to be in breach of data privacy regulation and is at risk of a lawsuit.
Rolling out a mobility policy that requires employee consent is the best way around this issue
BYOD therefore presents the enterprise with a dilemma: there is an obvious need to protect corporate data (indeed, if such data includes any personal information, then they are legally bound to protect it by data privacy legislation), but implementing the minimum security measures may also violate employees’ right to privacy.
The way to negotiate this challenge is to engage with the workforce, and roll out a corporate mobility policy to which employees must sign up before having an enterprise mobility solution installed and being allowed to use their own device at work.
Every business will have specific needs and requirements as well as different regional and vertical-specific regulation to take into account, so there is no set “template” with which to create such a policy. But there are some key points to consider.
The policy should set out both the employer’s and employee’s rights and responsibilities, including who is responsible for airtime costs and technical support. It should also outline what exactly will be accessed on a personal device, and exactly what will happen if the device is lost or compromised, or if the employee leaves the business.
Agreeing to such a policy means that the employee gives fully informed consent for the organization to access personal data on their phone.
If they don’t agree to it and don’t have the MDM solution installed, the employee should be made aware of the implications if they do then access corporate data on a personal device. This is likely to mean disciplinary procedures, as the business has few other ways to protect its data.
Richard Absalom works within Ovum’s Consumer Impact Technology practice, particularly focusing on mobile consumerization. His research examines the impact that mobile devices and applications designed for consumers are having on the corporate environment: identifying the challenges and opportunities it creates for both the enterprise and supply-side vendors; defining the vendor competitive landscape; and providing best-practice recommendations for enterprises and vendors alike.