Nowadays it is very common for employees of organizations and companies to be granted access to their e-mails and working files from various electronic devices, such as smartphones, laptops and tablets, by remote access. In fact, most corporate employees reply to e-mails or even open and review documents on their smartphones every day.
As a result, these devices, provided they can access and/or store personal data, are subject to the regulations and restrictions of the General Data Protection Regulation (“GDPR”). Although most companies today are vigorously implementing procedures with regards to controlling and processing of personal data within the company and its main servers, it is important for companies not to overlook the hidden risks affiliated with employees’ own electronic devices that are also used for work related tasks.
One way for companies to address the security issues relating to such remote access to personal data is by including provisions thereof in employment contracts. Further, companies have started implementing so called “bring-your-own-device” policies (“BYOD”), which are intended to provide information and help protect the security of employees’ devices, in line with the GDPR requirements.
A proper BYOD policy, which prescribes the responsibilities of the company on the one hand and the employees on the other hand, can vary between companies but usually contain provisions on adequate use, supported devices and applications, as well as information on security obligations and breach notifications.
However, formulating a BYOD policy is only one part of the equation. Besides that, it is also important for companies to inform and educate their employees on data protection, as a single data breach, especially on a large scale, can have tremendous reputational repercussions for companies – not to mention the risk of hefty administrative fines.