Should you allow a bring your own device policy?
Employers are realising there are challenges presented by BYOD which, if not dealt with, could have a serious impact on the business
With sales of tablets and smartphones on the rise, it is no surprise that many employees are now using their own devices in the course of their work rather than using company equipment.
Even where employees are not actually taking their devices to the office, they may be syncing their smartphones and tablets to their employer’s systems to allow them to work more flexibly when at home or travelling.
Allowing bring your own device (BYOD) can be beneficial because it can allow for greater flexibility, has the potential to reduce business costs, and can help ensure employees are more easily contactable out of hours.
However, employers are quickly realising there are some particular challenges presented by BYOD which, if not correctly dealt with, are capable of having a serious impact on the business.
Data protection and privacy
A key characteristic of BYOD is that personal and business data are stored on the same device. This throws up two potential risks under data privacy laws.
First, other people’s personal data controlled or processed by the business will likely end up stored on employees’ personal devices, which, if lost or stolen, significantly increases the risk of a data privacy breach.
Second, employees’ own personal data, including details of their personal lives, could inadvertently end up on company systems, whether through backup policies or through misfiling. The risk to employers is real - the Information Commissioner recently took action against the Royal Veterinary College following an incident in which a memory card containing personal data was stolen from a camera owned by a member of staff.
Read more on BYOD
- Consumerisation and BYOD Purchasing Intentions Europe 2013
- BYOD: data protection and information security issues
- BYOD – who carries the can?
- CW500 Club: BYOD best practice
- More than one billion BYOD users predicted by 2018
- Enterprises struggle with security challenge of BYOD
- How to make your datacentre BYOD-ready
Security and confidentiality
The biggest challenge with BYOD is the consequent loss of control over company data. Once stored on a personal device, data is only as secure as the security measures in place on that device. Most personal devices are not encrypted and it is therefore trivial for any person with physical access to the device to access the information stored on it. Furthermore, many personal devices will automatically store copies of data in consumer cloud services such as Apple’s iCloud or Microsoft’s OneDrive (formerly SkyDrive). Such data is then only as secure as the employee’s password for those services.
A good way to handle this problem is to require that employees submit their devices to security configuration by the IT team, or to use a “walled garden” product such as MobileIron or Samsung Knox to enforce separation of business and personal data on the device. However, it is important to obtain employees’ consent before deploying these measures.
Intellectual property (IP)
Generally, the law provides that the rights in works created by employees in the course of their employment are owned by the employer. However, it will be more difficult for an employer to prove that a work was produced in the course of employment where an employee has produced it outside of normal working hours and on their own device.
Where an employee creates works on their own device it will also be more difficult for the employer to find out that those works exist, because the employee could argue that the device is personal and so it should not be subject to search when they leave the business.
To tackle this problem, employers should review their policies and employment contracts to ensure they have adequate provisions to cover rights in works created outside of normal working hours and on other devices.
Employees’ own personal data could inadvertently end up on company systems, whether through backup policies or through misfiling
Businesses will also need to consider whether their software licence terms allow employees to use company software on their own device, without the need for further licences. For example, most Microsoft Office licensing programmes allow employees to sign up for the “Home Use Programme” but require payment of an additional fee.
Employers will also need to consider their employees’ work-life balance and whether the ability for employees to work round the clock could result in a breach of the Working Time Regulations.
Across most of the EU, there is a 48-hour limit on the working week, unless an employee has opted out of this. However, it is becoming increasingly easy and everyday practice for employees to check their emails during the evening or while on holiday. Employers could therefore face issues with employees claiming their employment rights have been infringed or faced with fines and prosecution if the company is in breach of the regulations.
Importance of a good BYOD policy
While the above issues may have you running off to your friendly reseller to buy equipment for your employees to work on, rather than allowing BYOD, it is not all doom and gloom.
The most important element in addressing these issues is a well drafted, clear and up-to-date BYOD policy that is effectively communicated to employees. You will also need to review and update the policy regularly to ensure it continues to provide adequate protection.
Because the issues involved touch upon a number of different disciplines, it would be sensible to involve at least management, IT, HR and legal in formulating your BYOD policy. Employers would also be wise to review their employment contracts to ensure that issues such as confidentiality and intellectual property are expressly dealt with.
Sarah Burke (pictured) is a solicitor at law firm Thomas Eggar.