Proponents of bring-your-own-device (BYOD) policies consider that advantages to employers can include higher productivity, increased staff morale and lower overall IT costs. For employees, BYOD can facilitate mobile and flexible working and be a useful tool to promote better work-life balance.
If an organisation has adopted a BYOD policy, it is crucial that appropriate safeguards and procedures are put in place, and clearly communicated to employees, to comply with data protection obligations and to protect the organisation’s confidential information from being disclosed to third parties, whether accidentally or deliberately.
As part of their BYOD policy, employers should provide guidance to employees on their data protection responsibilities, for example by specifying types of personal data that should not be stored on particular devices, or which can only be stored on devices with high levels of encryption.
They should also make it clear to employees that corporate data can only used for work purposes and should not be disclosed to any third party.
‘Acceptable use’ guidelines should be established to mitigate the risks, such as data leakage, that arise from the use of email and social media on devices that are also utilised to access corporate data.
And technical safeguards, such as strong passwords, data encryption, secure back-up, automatic device locking and the ring-fencing of corporate data, should be implemented by, for example, keeping it within a specific app, and disabling interfaces used to connect to other devices such as printers or storage devices.
Employers should also consider technical measures to protect and delete personal data stored on the device throughout the lifecycle of the device, including after theft or loss of the device; after the employee leaves employment with the organisation; if the device is sold on; or if the device breaks and is returned to the manufacturer.
A clear and effective BYOD policy is the best way for employers to balance the flexibility benefits of BYOD arrangements with managing the security and data protection risks that are inherent in allowing employees to use their own devices.
Anna McCaffrey is senior associate in the employment practice at Taylor Wessing