The UK Information Commissioner’s Office (ICO) published guidance on ‘bring your own device’ (BYOD), given the tremendous increase in employees both connecting to, and seeking to be able to use their personal devices to connect to, their employers’ systems. The ICO reported that 47% of employees now use personal smartphones, laptops or tablets for work, but fewer than three out of 10 are provided with guidance from their employers.
The ICO’s guidance highlights the importance of keeping information secure when using BYOD schemes, and pointed out that data controllers remain responsible for the data, even when processed on employees’ personal devices.
The guidance aims to help organisations develop policies by pointing out the issues that data controllers should consider when adopting BYOD policies, including types of data accessible, locations of data storage, data transfer, the risk of data loss or leakage, the potential for blurring the distinction between personal and business use, and what to do upon the termination of employment. The guidance also addresses security considerations, including in particular, password procedures and encryption, device security capabilities, and dealing with loss or theft of a device, as well as device failure and support.
The ICO has recommended that employees seeking to take advantage of BYOD be issued clear instructions on the separation of data and what types of personal data can and can’t be processed on their personal devices. The ICO also suggested limiting use of the cloud to where necessary, and suggested that it would behove organisations to register devices with a service to allow for remote location, and wiping should a device be lost or stolen.
While the ICO acknowledged that the cost of BYOD controls can be significant, those costs may pale in comparison with the reputational damage caused by serious data breaches, or the loss of an organisation’s proprietary and confidential information.