Your client, a multinational whose business involves regular cross-border data transfers, solicits your help with the development and implementation of an effective and compliant “bring your own device” (BYOD) program to address employee use of personal mobile devices for work purposes. What are your first five questions?
- What is the client’s policy development strategy?
Developing an effective BYOD policy involves balancing organizational culture against existing employee practices, including habits employees have developed through personal use of mobile devices. In addition to weighing the risks and benefits associated with a “business use only” policy, the client should consider best practices for enforcing policy mandates with regard to employee-owned devices. The client also must assess whether to deploy tracking mechanisms, and if so, what legal obligations will apply to such device- and data-tracking activities.
- What types of devices is the client considering?
Device type implicates a number of issues for multinationals, including whether a mobile device management solution is appropriate for the client and, in turn, which export controls might apply. The organization must develop policies and procedures to follow when a device is lost or stolen, including how to ensure the company can recover data if an employee accidentally (or intentionally) deletes data. Device type matters, and not all devices are created equal.
- How does the client intend for employees to use the devices?
The client will need to determine which employees will be eligible to participate in the BYOD program, and how such participation will operate in practice. For example, if employee device usage could impact overtime considerations, the client may consider limiting device usage only to exempt employees or by hour or by task, and building policies that reinforce those limitations. The organization also might employ data segregation software on devices to separate work functions from personal use for eDiscovery and other purposes. Finally, the organization should consider how it will deploy long-distance support for employees working in remote locations, and carefully consider the implications of travel pay laws that might relate to those employees.
- Where do the client and its employees operate – and what privacy regimes apply?
This topic often requires more extensive discussion, as it concerns both locations where the company has a physical presence and destinations employees may visit for work or personal reasons. Assessing legal obligations with respect to foreign privacy laws also depends on who within the client will be responsible for monitoring device usage (the “who watches the watcher” conundrum).
- What geographic or industry-specific legal complexities are of concern to the client?
The client can take the lead by identifying existing issues of concern, which flows naturally to a discussion of the vigilance necessary to keep current in this rapidly evolving area of law. This process involves evaluating the potential impact of proposed rule changes in relevant jurisdictions, including, in particular, forthcoming changes to the EU Data Protection Directive, and how to approach compliance with conflicting legal regimes.
In an article published in the International Association of Privacy Professionals’ Resource Center,Privacy, Security, and Practical Considerations for Developing or Enhancing a BYOD Program, James Sherer, Melinda McLellan, and Emily Fedeles offer further guidance on these and other issues associated with BYOD program development. The article looks at real-life BYOD issues that arise in many multinational practices today, and builds upon the authors’ earlier research regardingmultinational BYOD use more generally.