< Back

Share |

BYOD: Solving data protection compliance issues

April 2013

A recent survey commissioned by the Information Commissioner’s Office (ICO) reveals that nearly half of all UK adults use their personal smartphone, tablet computer or laptop for work purposes. This is no surprise, given the increasing demand by employees for flexible and remote working coupled with the exponential uptake of mobile devices. However, the survey also showed that most employers have a laissez faire attitude towards implementing a Bring Your Own Device (BYOD) policy, raising the spectre of a new source of data protection breaches.

OwnershipThere are a number of variations on the BYOD model, but the common feature of each is the use by employees of personal devices to access and process corporate information alongside their own. Benefits of BYOD that are touted for employers include higher productivity, increased staff morale, and lower total cost of ownership (TCO) of IT. However, the model also raises a host of data protection and other compliance challenges, and these should be dealt with by any employer whose employees use personal devices for work.

A key challenge for employers – as data controllers – will be to address the risks arising from the lack of control over employee-owned mobile devices. Some of these risks are not new – after all, employees working from home have been able to lose work laptops and leak data for years now – but the difference with BYOD is that the employer does not own (and usually does not support) the device.  Regardless of who owns the device on which it is processed, the employer must remain in control of the personal data for which they are responsible under the Data Protection Act 1998 (DPA). A failure to do so will expose the employer to risks of enforcement action by the ICO, fines and reputational damage.

The new BYOD guidance released by the ICO is a helpful starting point for employers considering BYOD schemes, whether formal or permissive. The ICO explains some of the risks to evaluate when allowing employees to process personal data using personal devices. It also gives some tips to help mitigate these risks and maintain compliance with the 7th data protection principle, which requires that appropriate technical and organisational measures are taken against accidental loss or destruction of, or damage to, personal data. For example, data controllers should:

  • work with HR and IT departments to establish an effective BYOD policy that provides guidance to employees on their responsibilities e.g. by specifying types of personal data that should not be stored on particular devices (or which can only be stored on devices with high levels of encryption). The policy should also reinforce that employees can only use corporate data for work purposes;
  • Safeestablish an Acceptable Use Policy to mitigate the risks - such as data leakage - that arise from the use of email and social media on devices that are also used to access corporate data;
  • implement technical safeguards such as strong passwords, data encryption, secure back-up, automatic device locking, ring-fencing corporate data (e.g. by keeping it within a specific app) and disabling interfaces used to connect to other devices such as printers or storage devices;
  • consider technical measures to protect and delete personal data stored on the device throughout the lifecycle of the device, including after theft or loss of the device; after the employee leaves employment with the organisation; if the device is on-sold; or if the device breaks and is returned to the manufacturer. Technology is available which wipes or encrypts data remotely on demand, although employers should tell the users which data might be deleted and under what circumstances;
  • consider limiting the choice of devices and/or operating systems to those which the employer has assessed as providing an appropriate level of security for the personal data being processed;
  • given the inherent security risks and the potential transfer of personal data outside the EEA when transferring data via public cloud-based services (e.g. email), only allow personal data to be processed via such services with extreme caution, if at all;
  • provide guidance to employees about the risk of downloading unverified apps in order to mitigate the risks arising from malicious apps; and
  • conduct regular audits and monitor compliance to ensure the BYOD policy is being adhered to.

LaptopThe ICO’s guidance also highlights that tracking technology used to mitigate the risk of security breaches may itself give rise to compliance issues. Recording the geo-location of devices to monitor data transferred for data leakage and loss may increase the level of workplace monitoring. It can also have privacy implications if monitoring is carried out during periods of personal use. Similarly, technology used to delete data on devices remotely can allow the device to be tracked in real time. In each case, the employer would need to:

  • notify users of the purpose of any monitoring and ensure that it is proportionate and justified by real benefits (see monitoring employee communications) for a discussion on monitoring in the workplace); and
  • ensure that personal data is only used for the specific purpose for which it’s collected and not for the general surveillance of users.

While security of the device – and corporate data processed using the device – needs to be a key focus of any BYOD policy, the ICO points out that BYOD policies should also facilitate compliance with all other aspects of the DPA. For example, connecting devices to a single central repository of corporate data can help mitigate the risk that out-of-date data is stored on different devices or that it is retained for longer than necessary. Employers should also consider how a BYOD scheme will affect its ability to respond to subject access requests under the DPA within the statutory timeframe.

ResultsFor many organisations, as the ICO survey shows, implementing and enforcing a BYOD policy is a case of bringing some order to a currently chaotic situation. While this is no easy task, it’s necessary to reduce the data security risks that arise from the use of personal devices for work. The new guidance from the ICO outlined in this article will help employers to build a policy, and perhaps even gain the purported benefits of a properly managed BYOD scheme.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Louise Taylor

Louise Taylor      

Louise reviews the ICO’s new guidance on BYOD in light of employers’ compliance challenges.

"A key challenge for employers – as data controllers – will be to address the risks arising from the lack of control over employee-owned mobile devices"