The ‘bring your own device to work’ challenge
According to a report by YouGov, 65 per cent of companies currently allow employees to bring their own devices to work, but only a quarter said that their organisation has a formal ‘bring your own device’ (BYOD) policy in place. It can be challenging to match what occurs in practice with an underlying policy, but the current disconnect can raise significant issues for employers. Kemp Little has outlined some of the key issues and ways to deal with them below:
Who owns the device?
A personal device used by an employee for work purposes is still owned by the employee and not the business. This inevitably means less control for an employer over a personal device than it would have over its own property. A company nevertheless has to remain in control of data for which it is responsible, notwithstanding the fact that the device is owned by the employee, so any BYOD policy should state that the contents of an employer’s system and any company data remain the property of the company, regardless of who owns the personal device.
How can your business ensure compliance with data protection legislation?
As mentioned above, although a personal device is owned by an employee, the company will still be considered the data controller of personal data belonging to the company that is held on the device pursuant to the Data Protection Act 1998 (DPA). Therefore, any company operating a BYOD policy will need to ensure that all processing of personal data on its employees’ personal devices for business purposes remains in compliance with the DPA. The key to ensuring this is to put in place appropriate security measures to prevent personal data from being accidentally or deliberately compromised. The Information Commissioner’s Office has provided some guidance to UK employers to ensure that their BYOD policies comply with the DPA, including recommended security measures. Some recommended security are measures below…
Click on the link below to read the rest of the Kemp Little briefing.