Canada - Being Smart About 'Bring Your Own Device' Letting employees use their personal devices for work purposes can make good business sense for a company. Apart from potentially saving on overhead, many employees are happier and will work longer and more effectively if they can use their own devices for both professional and personal activities. Companies should nevertheless make sure they've covered off their data security and privacy risks before launching a bring your own device (BYOD) program. Security and privacy sometimes seem to be at cross-purposes in the BYOD context. On the one hand, a company must take steps to prevent any leakage of confidential data, such as might take place where employees regularly share their devices with family members, use an unsecured Wi-Fi network at home, or keep the device and all corporate data on it after termination. On the other hand, a company must ensure that it does not infringe on employees' privacy rights when securing their devices, such as might occur if doing so involves actively monitoring their personal communications, activities and whereabouts. To help companies navigate these thorny issues, privacy regulators have issued guidelines for companies on how to manage the complexities of a BYOD program. For example, Canadian privacy regulators issued BYOD guidelines in August 2015, and the UK's data protection authority published BYOD guidelines in March 2013. Here are a few best practices drawn from both sets of regulatory guidance:
1. Assess the Risks Beforehand Conducting a privacy impact assessment will help you identify the issues and risks associated with the proposed program. Once the risks have been mapped out, key stakeholders (such as IT, legal, finance, human resources and management) should be involved to determine how the company will implement the program while safely mitigating the related risks.
2. Develop and Implement A BYOD Policy A clear and enforceable BYOD policy is critical to the success of a BYOD program, as it establishes the rules of the program and the expectations of users. The policy should address a number of issues, including acceptable uses of devices, the ways in which personal information may be subject to corporate monitoring, securing devices, lawful access requests, and transferring or deleting data from a device after it exits the BYOD program.
3. Install and Update Security Measures A company should take steps to protect devices against unauthorized access or data loss, such as by requiring password use, regularly installing patches and security updates, and encrypting data on devices. If the company automatically connects to and manages personal devices, then this should be addressed in the BYOD policy.
4. Train Employees on BYOD IT professionals and employees should be trained on the rules and protocols of the BYOD program, including with respect to the administration of the BYOD program, patch and software vulnerability management, incident management, and authentication and authorization procedures.
For more information, please contact Theo Ling, Arlan Gates or Jonathan Tam.