Bring your own device (“BYOD”) is a practice that allows employees to use personal mobile devices such as smartphones, tablets and laptops for business purposes. Whilst there are apparent benefits for enabling employees with mobile technology, employers should be aware of the commercial and legal issues that may arise and give due regard to security and data protection risks before implementing a BYOD policy.
What are the benefits?
An effective BYOD arrangement can enhance the flexibility of a business environment, and reduce business costs as employees are able to use self-owned or self-provided devices for work purposes. When appropriate security measures are put in place, BYOD can also lead to better organisation of corporate and personal data by way of a virtual barrier and employees can gain proper access to the corporate system with their personal devices through a separate platform without compromising the privacy of their own personal data.
Storage and security of personal data
Employers who hold, process and use personal data may be subject to legal requirements to adopt protective measures against unlawful and unauthorised access to personal data. Employers should therefore consider where personal data to which employees have access via their personal mobile devices is stored (e.g. the company’s own server or a cloud-based platform) and whether appropriate security measures are put in place.
Transfer of data
A typical BYOD arrangement involves the transfer of data between the mobile device and the company’s IT system. Employers should therefore be aware of the potential risk of unlawful interception during such transfer and adopt appropriate security measures e.g. encryption.
Monitoring of personal devices
Employers may wish to monitor employees’ working practices for a number of reasons, e.g. to ensure compliance with its company policies and legal and regulatory obligations. Accordingly, employers may collect data relating to employees’ use of their personal device such as their location data. It is important for employers to have a clear company policy on how it seeks to monitor employees’ use of their personal devices, and ensure that any such collection and use of data would be in compliance with relevant laws.
Impact on existing business environment
The impact of a BYOD policy on existing business relationship of an organisation should be assessed. In particular, employers should be aware of the potential security exposure caused by a BYOD set-up, which may have an impact on the existing contractual obligations with third parties (e.g. customers or service providers).
In light of the above issues, the following practices may be considered by the employer:
- Separate business applications and data from employee’s own applications and data by adopting different application platforms for business and personal use.
- Adopt protective security measures in personal devices such as encryption and mobile device management, which is a facility to secure and monitor the overall status of a mobile device and allows the employer to remove data on demand in the event that the device is lost or stolen, or when employees leave the company.
- Transfer data through encryption and fully assess the relevant risks before using a public cloud-based platform for data storage or transfer.
- Set out a clear and well-publicised BYOD policy addressing the users’ responsibilities and expectation for privacy. In particular, employees should be informed that their use of the device may be monitored and the purposes for such monitoring activities. Further, an acceptable use and social media policy may also be implemented to provide further guidance on accountability of behaviour during the usage of personal device.