Bring your own device (BYOD) working has become very popular,
and for good reason. With employees able to work wherever they wish, whenever
they wish, it boosts goodwill, enhances productivity and helps businesses gain
the edge over competitors.
However, there are data protection and security
considerations you need to make as an employer if you are promoting BYOD
working.
BYOD and Data Protection
BYOD working brings up numerous concerns under the Data
Protection Act 1998. Because you don’t have ownership of the devices on which
your data is held on, it is vital you think about potential scenarios where
these devices might fall into the wrong hands.
Theft is a real problem, and so is hacking. With devices
connected to your network and access to your data in effect open, robust
antivirus and online security systems are obviously vital. So you have to
consider, do you insist on your own choice of protection, or leave it to your
employee to choose?
The Information Commissioner’s Office (ICO) has issued some
very usefuladvice on BYOD working and the associated data protection implications
which is well worth a read.
BYOD and Security
When you have outside devices linking in to your IT system
you are effectively exposed to a host of security issues. A robust management
plan is essential and you need to take time to consider how much of the setup
and configuration you are willing to leave in the hands of the employee.
Ideally it is preferable for the IT department to handle things like software
installation and configuration, email account setup, device locking and
encryption so you can be sure of consistency. However, you do need to balance
this with management efficiency so you may decide to allow some of the more
straightforward tasks to be undertaken by the device user. A set of guidelines
will help keep this under some control.
BYOD Policies
The ICO recommends a ‘BYOD Acceptable Use Policy’ is put in
place. Workers will find it useful to know how they are permitted to use their
devices to process business data and how to keep this separate from personal
material.
If you decide to monitor usage and record the location of
devices using geo-tracking then you will need to officially inform employees as
to how you are monitoring and ensure such monitoring does not infringe on
privacy rights.
A policy on what happens to data and software on devices when
a worker leaves your business is also very important and you may wish to
consider making it the case that devices should be surrendered for clearing by
your IT department when that happens.
If you are thinking about introducing BYOD working into your business, make a start with a read of the ICO’s guidance. Then consult with your HR and IT managers and legal advisers so you can all work together to get policies and systems in place to ensure you are well prepared for every eventuality.
