global insurance management

BYOD - Bring Your Own Devices


Mar 24 2014

BYOD and implications for Data Protection and Security

Relevance:                   All regulated firms.

Action required:           Decide if you wish to allow BYOD – Bring-Your-Own-Devices.

As more and more people get access to mobile technology so there is a growing trend in businesses of all sizes to give consideration to something known as Bring Your Own Device (BYOD).  This is where employees bring their own devices, such as smartphones, tablets and laptops into the workplace and use them to conduct company business.

Apparently, such a move is being promoted because of the potential in cost savings and increased productivity for employers; some analysts also claim that BYOD boosts morale and engagement for employees.

However, before any consent is given to such requests, it is vital that firms understand how BYOD would impact on their obligations under the Data Protection Act.

The Information Commissioner’s Office (ICO) states that “The Data Protection Act 1998 (the DPA) is based around eight principles of ‘good information handling’. These give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.”

A named individual in the firm is registered as the Data Controller, who must comply with the data protection principles and in this instance, principle 7:

  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Therefore, permitting a range of devices to process personal data held by the firm gives rise to a number of questions a data controller must answer in order to continue to comply with data protection obligations. It is important to remember that the data controller must remain in control of the personal data for which he is responsible, regardless of the ownership of the device used to carry out the processing.

So, permitting BYOD might promise improved productivity, reduced capital expenditure and better work-life balance for employees. 

However, it also promises security and compliance problems for organisations that have inadequate BYOD policies:

  • A poorly thought out BYOD implementation brings more headaches than benefits;
  • A really good BYOD policy will set out clearly for staff what is and isn’t allowed and when combined with a comprehensive Acceptable Use policy, it will help achieve the benefits identified.

Firms should weigh up the following factors:

Reasons to implement BYOD:

  1. BYOD shifts investment and running costs to the employee;
  2. BYOD boosts employee satisfaction;
  3. BYOD can speed up use within the organisation of cutting edge technology;
  4. BYOD eliminates end-of-life device administration;
  • usually, the employee purchases their own preferred device and pays most of the running costs;
  • employees use the device of their own choice for working, rather than whatever the organisation provides, and most people greatly prefer this option;
  • because employees are into their devices, they upgrade more often and more aggressively, personally taking the investment risk of using the latest device;
  • the employee disposes of their own device when they’re finished with it, relieving organisations of the cost and compliance hassle associated with disposing of outmoded mobile devices.

Alongside those interesting benefits come a number of significant risks:

  1. Employee devices will have to connect to the corporate network;
  2. Employee devices will be used for processing data that is protected by regulations such as the Data Protection Act, EU Data Protection Directive, PCI DSS, etc;
  3. Employee devices may store corporate information and protected personal information;
  4. Employee devices will be equipped with applications (including games and apps) that might not be available on corporate devices;
  • which raises the spectre of unauthorised access to corporate information, malicious activity, malware infestations and so on;
  • and the employer remains accountable for the safe processing of that data;
  • if an employee loses the device or leaves the company, the employer will have to recover the data;
  • which means the organisation’s rules about what is and isn’t allowed will be breached from the outset.

And so it seems that there are two distinct approaches to the question of BYOD

Firms either:

  • declare BYOD is not allowed and ensure that all employees are made aware of the position; or
  • embrace BYOD and put appropriate policies and procedures in place, including Mobile Device Management (MDM) systems and a Remote Wipe security function.

It is possible that some firms will already be moving down this technological path and if so, it would be a good time to review whether the necessary safeguards have been created and implemented.

Back to news

Global News Archive

We are now part of the AXA Group Click here

Generation 3 Ceramic  Click here

Cutting edge, Market Leading Software from our Solutions company. Click here