Bring-your-own-device (“BYOD”) – where companies allow employees to use their own mobile phones, tablets, and/or laptops for work – is a practice that is quietly growing year-by-year. In fact, in a study conducted by Tech Pro Research late last year, 74% of respondents said that their organisation either already allows BYOD or is planning to do so within 12 months. Further, numerous studies have shown that employees of organisations which do not allow BYOD are increasingly using unauthorised personal devices at work. And yet, this widespread practice often receives little more than a passing consideration at many companies. Given some of the exposures outlined below, every organisation should consider the legal implications of this trend and decide what measures are needed to mitigate the risks.
Employees often like access to the latest technology, but having to provide it for all employees (and gauging what everyone will wantnext year) can quickly become a very expensive rat race. On the other hand, supplying certain employees with the latest technologies while leaving others without might segregate colleagues into the ‘haves’ and ‘have-nots’.
With limited IT resources, both from an equipment standpoint and in terms of available in-house IT support, companies are quickly realising that BYOD might be the answer. Allowing BYOD enables employees to have the tools that they need without requiring the company to spend excessively or make value judgments as to whether certain departments or employees are worth the expense. Additionally, allowing employees to use tools with which they are more familiar might mean less time diverted from work and fewer after-hours calls to IT. Likewise, the increased flexibility as to how and where tasks can be completed translates into an increase in employee efficiency and productivity.
It should be noted that BYOD may not be right for some organisations, such as certain government entities or companies that manage extremely sensitive financial information and are required to have strict information-control processes in place. In these cases, it would be beneficial to have a document in place that explains the organisation’s policy with regard to BYOD, the rationale for this policy, and any consequences for breaching it. Setting clear guidelines and helping employees understand these external restrictions and obligations on the organisation makes it more likely that employees will comply with the procedure and helps clarify any remedial measures to be taken.
Even if your company does not allow BYOD, the chances are your employees may be using personal devices for work anyway. As a result, a change to BYOD is worthwhile considering and, in any case, it is prudent to address the issues discussed in this article.
What are the risks?
The two biggest risks with BYOD are (i) employees inadvertently jeopardising the security of the company’s networks and (ii) the company inadvertently breaching its employees’ rights to privacy. Both risks are intertwined, as the company will likely need to monitor the employee’s device to ensure that the company’s network is not being compromised, and both can lead to damage to the company’s reputation, costly investigations by regulatory bodies and protracted litigation. Luckily, both can be mitigated by thoroughly considering the legal implications and drafting a clear and comprehensive BYOD policy that addresses them.
It is important to remember that there’s no ‘one-size-fits-all’ BYOD policy. Each company needs to approach BYOD as it does any other significant change to its processes – by analysing the organisation’s needs and formulating a strategy that complements it. The employees’ requirements and the company’s capabilities should be evaluated in tandem.
With that said, every BYOD policy should address the considerations that are applicable at different stages of the employment lifecycle. Please join us for Part 2 of this series, where we will discuss the privacy and personal device considerations that can occur in the three stages of the employment lifecycle and how they can be addressed in the BYOD policy.