BYOD: data protection and information security issues

Allowing employees to use their own devices to access company data raises data protection issues that a business must answer

BYOD (bring your own device) has been defined as the use of employee-owned mobile devices such as smartphones and tablets to access business enterprise content or networks.

An effective BYOD strategy can lead to a number of benefits for businesses, including improved employee job satisfaction, increased job efficiency and flexibility. BYOD can also provide cost savings from initial device purchase to on-going usage and IT helpdesk support as employees invest in their own devices.

But allowing employees to use their own devices to access company information gives rise to a number of issues that a business must answer in order to comply with its data protection obligations.  

Many of these issues arise because of the main characteristic of BYOD that the employee owns and to some extent maintains and supports the device. As a result, the company will have much less control over the device in comparison to a device owned by the company.

More on BYOD

An employer will need to address these BYOD issues before enabling employees to bring their own devices to work. These issues include, for example, ensuring that work data will not be merged with an employee's personal data, that non-employees, such as family members who use the device, do not access work data and, for example, what happens when an employee loses a device or resigns.

In seeking to implement a BYOD solution it is important to identify business objectives and benefits as well as taking into account security, audit and data protection requirements.  A multidisciplinary team should be formed to develop a co-ordinated BYOD policy, including IT, human resources and legal.

Helpfully, the UK Information Commissioner's Office (ICO) recently published BYOD guidance for employers on how to comply with the UK Data Protection Act 1998. By considering data protection risks at the outset, a business can embed data protection at the core of its business activities and raise overall data protection and security standards.

Employers should consider use of sandbox and ring-fencing data

BYOD business policy
Central to the guidance is having a clear BYOD policy so employees connecting their devices to the company IT systems clearly understand their responsibilities. An implementation plan could also lead to a better separation of data. An audit should also be carried out on the types of personal data to be accessed and the devices to be used.

The ICO guidance also says data security is a prime concern for employers and importantly BYOD should not introduce vulnerabilities into existing secure environments. 

Employers should also consider the use of a sandbox or ring-fencing of data, such as by keeping data contained within a specific app, as well as ensuring that, if the device is lost, the data on it is kept confidential and retained via a backup facility.

In terms of legal risk, losing employee or client data could result in the company breaching the UK Data Protection Act, which could leave the company vulnerable to legal claims brought by the employee or client in question or a fine imposed by the ICO.

To address the data protection and security breach risks, the ICO guidance recommends companies consider the following: 

  • Which type of corporate data can be processed on personal devices 
  • How to encrypt and secure access to the corporate data
  • How the corporate data should be stored on the personal devices
  • How and when the corporate data should be deleted from the personal devices
  • How the data should be transferred from the personal device to the company servers

More on data protection

  • Data protection methods, define thyself
  • How to protect data from ransomware malware
  • Data protection and retention isn't just about disk
  • Protecting data: An IT guide

The ICO also recommends installing antivirus software on personal devices, providing technical support to the employees on their personal devices when they are used for business purposes and having in place a "BYOD Acceptable Use Policy" providing guidance to users on how they can use their own devices to process corporate and personal data. It should also be clear to employees that they can only process corporate personal data for corporate purposes.

The ICO also highlights the BYOD risks associated with increased monitoring at work by the technical measures that the company could put in place in order to ensure the security of the company data processed by the employees on their personal devices. 

The monitoring could include, for example, recording the geo-location of the personal devices or monitoring the internet traffic on the personal devices. Companies must inform employees of the extent of the monitoring and ensure they are satisfied that the monitoring is justified by the real benefits and does not unnecessarily infringe on privacy.

The use of personal devices in the workplace continues to rise, as do the potential legal and data protection risks, and so businesses need to think carefully about BYOD and put in place appropriate policies and processes to tackle these issues and thereby minimise the risks with BYOD.

Ultimately, businesses are responsible for the security of company data and data protection requirements regardless of the ownership of the device and therefore need to act responsibly with BYOD.

William Long is a partner at law firm Sidley Austin

Read more on Privacy and data protection