Dangerous Devices – The Potential Problems of BYOD
Allowing staff to work on their own smartphones, tablets or other devices (known as Bring Your Own Device or BYOD) can open up your business to legal risk on a number of fronts.
Data protection is a primary concern. Any personal information you have obtained (which could be employee or client data for example) needs to be held securely and processed in accordance with data protection rules. Allowing staff to have access to this on their own devices means you lose control over how it is stored and where it is sent, potentially putting you in breach of the rules. You also need to look at your commercial agreements (such as stand-alone confidentiality agreements and confidentiality clauses within other agreements) which may restrict who can access the commercial data you hold and which may include provisions requiring you to delete it after a certain time – you might be unable to comply with these provisions if the information is held on an employee’s personal device.
Software licences may also be breached by allowing employees to use business software on their own devices and there are also a number of HR considerations and tax implications. In addition to questions about hardware ownership, there may be disagreements about who should pay monthly bills. You will also need to balance your requirement to ensure the security of company data against an employee’s right to privacy, as well as addressing the potential extension of working hours for staff working on their own devices outside of office hours.
There are some practical things you can do such as designing your network architecture so that staff can only access the information you are willing to share by having technical controls in place (for example ensuring information is “presented” on personal devices rather than stored locally to minimise the risk of data loss, requiring different user credentials for BYOD access) which are balanced with usability. Alternative ownership models, such as allowing staff to choose their own devices which are then purchased and owned by the business and/or allowing staff to use devices owned by your business for personal use, may reduce (but not eliminate) some risks, but they also reduce the potential savings to the business on hardware costs, and employees will often still end up doing some work from their own personal devices simply for convenience.
The most important thing to do though is a thorough audit and risk assessment to identify the potential issues for your particular business, and draft a tailored policy to address these issues as far as possible. Ensure the policy has visibility amongst, and buy-in from, employees, and that compliance is monitored and the policy is regularly updated.