Bring your own device – are you aware of the risks?

Posted 14/04/2014

With the huge rise in the use of smartphones, tablets and laptops, there has never been more opportunity for employees to ‘log-on’ out of office hours. This has obvious benefits to businesses, both in driving employee productivity and promoting more flexible working practices. However, the time and expense associated with continually investing in these rapidly evolving technologies could be prohibitive. The solution? BYOD – or Bring Your Own Device.

A 2013 YouGov survey reveals the growing trend towards employees using personal smartphones, tablets or laptops for work purposes (currently as much as 47% of UK adults).  But whilst 65% of IT managers say their business allows BYOD, only 23% say their business has a BYOD policy. The picture is clear: businesses are taking advantage of the cost saving benefits of BYOD but aren’t necessarily protecting themselves against the very real risks arising from potential breaches of data protection laws.

We have all heard the stories of papers containing personal data left on trains and in taxis and the resulting fines imposed on employers for breaching data protection rules. In today’s ‘paperless world’, a lost, stolen or misused smartphone or tablet could have similar repercussions – particularly where sensitive business information is held on a variety of different personal devices used to access confidential emails, work documents or business contacts.

Irrespective of whether it owns the device that is being used to access the data, an employer will likely remain the ‘data controller’ in respect of personal data (and therefore liable for any breaches). An employer’s responsibilities are not reduced simply because it is more difficult for it to monitor and control personal devices and the same degree of protection of personal data is expected in the eyes of the law.

Where BYOD is clearly being used by employees, a business should weigh carefully the risks associated with employees using their own devices, against the cost of supplying a few properly managed and controlled devices to its key employees. If it is still not viable to supply devices or where businesses would like the full spectrum of employees to benefit from BYOD, a BYOD policy should certainly be implemented.

As a minimum, the following practices should be encouraged;

1. Proposed devices should be inspected, approved and monitored (when necessary) by an IT expert;
2. A risk analysis exercise should be conducted and consideration should be given to registering high risk devices with a remote “locate and wipe” facility to maintain the confidentiality of data if a device is lost or stolen;
3. Encryption methods should be used to protect data stored on all devices;
4. Devices should be secured by a strong password;
5. Devices should be set to lock automatically after a specified period of inactivity;
6. Employees should be clear on what type of data can be accessed via personal devices and personal data stored on personal devices should be kept to a minimum.

What is clear is that a BYOD policy, if properly executed and administered, will add value to a business. Leaving aside the obvious cost savings, employees will have access to up to date technologies with which they are likely to be familiar, freeing their time to work more flexibly and productively, and will be encouraged to take care of their devices through personal ownership (thereby reducing replacement and repair costs).

If you are an employer and would like advice on your data protection responsibilities or to discuss any issues associated with BYOD systems and policies, please contact Ashtons Legal’s commercial team.