What is BYOD?
BYOD stands for “Bring Your Own Device” and it relates to the practice of employees using personal mobile electronic devices for work purposes. Such devices include smartphones, tablets, laptops and data storage devices.
Increasing Trend of Employees using their own Devices for Work
The ubiquity of smartphones and tablets, increasing wireless network coverage, the proliferation of social applications and the availability of cloud computing has brought with it more ways in which to access data in the “Post-PC” era, resulting in a significant shift towards BYOD.
The practice of BYOD is in reality already prevalent in many organisations, whether employers are aware of it or not. A survey of UK based Chief Information Officers for example indicated that half of the surveyed business IT networks were compromised in a given year by employees using their personal devices at work. Only a portion of those businesses had a formal BYOD policy in place, meaning that the majority of employees in the surveyed organisations were connecting to the company network in an ad-hoc and unregulated manner.
What does BYOD mean for Employers?
BYOD brings with it a number of benefits. Employees express greater job satisfaction when permitted to use their own preferred devices in the course of their work. This in turn gives rise to improved employee productivity and user efficiency, and decreased IT costs through the avoidance of multiple devices.
BYOD does also raise a number of issues in an employment context. It is important that any organisation which has a BYOD programme in place, or is contemplating introducing BYOD, has a comprehensive policy in place governing how BYOD will operate. A BYOD policy should be regarded as a living document to be updated regularly to keep pace with developments. A cornerstone of any successful BYOD policy is that all parties understand their obligations, and organisations should accordingly take into account some or all of the following:
- New Joiners: Obtain consent to sign employees up to BYOD and train new employees on BYOD policy.
- Departing Employees: Implement means of securing company data held on personal devices when employees are exiting.
- Security/Software Management: Ensure all software is fully licenced and allow installation of company software management. Require access control measures to be put in place, along with regular password changes. Consider allowing data to be stored in cloud only rather than on a personal device.
- Ownership: Address who owns the device in circumstances where an employer provides an allowance for purchasing a device and/or covers monthly bills.
- Privacy and Data Protection: Employees have a right to privacy in the workplace. Equally, employers will want to be able to monitor personal devices used for work. The pending EU General Data Protection Regulation, set to come into effect in approximately two years’ time, will place further obligations on employers in terms of processing personal employee information.
- Working Time: Ensure compliance with working time obligations where employees have the ability to work at a time and location convenient to them.
- Confidentiality: Make clear that employer’s rules around confidentiality apply equally to BYOD devices, and require that loss or theft of a device is reported immediately. Consider methods of erasing data where a device is lost or stolen.
- Disciplinary: Indicate that sanctions may arise from a breach of rules around BYOD, e.g. breach of confidentiality, breach of acceptable use, illegal downloading or hacking.
- Discrimination/Equality of Treatment: Establish whether BYOD will be applicable to all employees or particular categories of employees.
- Revocation/Opt-out: Make clear that the employer can revoke the right to use a device, and equally that an employee can opt out of using their own device.
BYOD Bill of Rights
Employee engagement is key to acceptance and successful deployment of BYOD. The internet security company Webroot has drafted guidelines, dubbed a “BYOD Bill of Rights”, to aid companies and their employees resolve differences relating to the use of personal devices, and offer a broad template for organisations in terms of implementing an effective BYOD policy. The guidelines state that employees have the right to:
- privacy over their personal information;
- be included in decisions that impact their personal device and date;
- choose whether or not to use their personal device for work;
- stop using their personal device for work at any time;
- back up their personal data in case of a remote wipe;
- operate a device that is unencumbered by security that significantly degrades speed and battery life;
- be informed about any device infections, remediation, or other activity that may affect their device’s performance or privacy; and
- download safe apps on their personal device.