15 December, 2019
As more organisations embrace the concept of remote working, the number allowing employees to utilise their own devices in the workplace to connect with organisational networks has increased. Bring your own device (BYOD) is thought to increase both employee job satisfaction and efficiency levels as the employee is able to utilise a device that they feel most confident with.
Organisations have obligations relating to the confidentiality, integrity and availability of all the personal data it holds. This means that the organisation is accountable for any business conducted involving personal data on any device. Therefore, giving the employee access to potentially sensitive or confidential data on a personal device brings with it considerable risks particularly with regards to the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).
Under the GDPR, organisations must have 'appropriate technical and organisational measures' in place to prevent the personal data it holds being accidentally or deliberately compromised. This includes not only physical and organisational security measures but also cybersecurity procedures. Implementing a BYOD policy can reduce the control which an organisation has over the devices used within the organisation and lead to more potential points of failure and vulnerability being introduced.
Firstly, an organisation should consider the suitability of an employee's device. Not only should the device be able to cope with the practical demands but the security capacities should meet your organisation's minimum standard. An employee should be required to confirm that their device's operating system is up to data and that relevant patches have been downloaded. Additionally, employees should be warned of the risks of downloading unverified apps to their device as these may increase the risk of malicious software being introduced to the organisation's network.
To add further layers of protection, an organisation might wish to consider restricting access to certain websites on a BYOD device or even establish a WI-FI network separate from its corporate network for BYOD connection.
Your organisation should also consider how the employee is to access the organisation's network while working remotely. Whether access to data should be restricted via a specific app or the use of encrypted email protocols should be considered by the organisation. Also, accessing the organisation's network via an unsecure "coffee house" network could increase the risk of data being lost. Therefore, use of a secure VPN when not connected to the organisation's network should be a fundamental requirement. Additionally, the organisation should explore how it wishes to remotely store data and it subsequently allow access to a BYOD device. The use of "public" cloud storage services may increase the likelihood of data being lost.
From a practical perspective, where copies of data (such as PDFs) are stored on many different devices, there is an increased risk that the data will become out-of-date or inaccurate over time. However, more importantly, there is a risk that it will be retained for longer than is necessary, and the organisation may face difficulties keeping track of copies. Organisations might therefore find it problematic responding on time to a subject access requests, as having to search multiple devices, some of which the organisation might not be aware of, will only slow the process.
The use of personal devices might also raise the risk that personal data is processed for different purposes from which it was originally collected. To counter this an organisation might wish to audit the data potentially being held on employee's device to establish whether the data being held is appropriate or if it should be held in a more restricted environment.
An organisation must, also, ensure that within its BYDO policy there is provision to deal with the loss, theft or failure of an employee's device. A device's geo-locations should be switched on and a capability to remotely wiped data if it is lost or stolen should be a prerequisite.
Finally, the organisation must also consider how it deals with an employee who engages with BYDO leaving its employment. Provision to retrieve stored documents and delete relevant information from the device should be incorporated into both BYOD policies and employment contracts.
In conclusion, as a data controller, the organisation must remain in control of the personal data for which it is responsible, regardless of the ownership of the device used to carry out the processing. Employees wishing to utilise BYOD should be engaged when developing policies and procedures. They should also be fully aware of their obligations and responsibilities with regards to the use and storage of personal data.
For more information contact Daniel Milnes in our Governance, Procurement & Information department via email or phone on 01254 222313. Alternatively send any question through to Forbes Solicitors via our online Contact Form.