The seemingly unstoppable rise of bring your own devices (“BYOD”) in enterprise heralds a new era of computing in business. A recent global survey by Gartner, Inc. found that 38 percent of the companies surveyed expect to stop providing devices to workers by 2016. This is despite the same survey finding that only 22 percent of the leaders in those companies believed that a strong business case had been made for BYOD. As part of any evaluation of a BYOD strategy it will be important to consider the legal and regulatory risks and how these might be ameliorated. This article considers the data protection and security implications of BYOD.
When a business adopts a BYOD program it should be conscious that the personal devices of its employees will be granted access to, and become part of, its IT systems. This immediately raises concerns from a data security perspective, both in respect of the obligations of a business under the Data Protection Acts 1988 and 2003 as a data controller in relation to personal data, and in respect of confidential information that might be accessed on the device. Best practice in this area is constantly evolving, but businesses should consider the following:
- Any business information, including personal data, that is stored on a device should be encrypted and only accessible through the use of secure passwords. It is unlikely that simply relying on the standard PIN code unlock protection built into mobile operating systems will be sufficient to secure the device.
- Devices’ security settings should be correctly implemented and the latest security updates should be applied to the operating systems.
- It should be possible to remotely wipe a device, or the business information on the device, in the event that it is lost, stolen or the employee leaves the business.
- Devices should not be used to access unsecured Wi-Fi networks, particularly when conducting business related tasks.
- Work tasks should only be undertaken using business approved applications and services.
In order to ensure compliance with the above best practices a business has two main tools: Mobile Device Management (“MDM”) applications and its BYOD Policy.
There are a large number of MDM applications on the market that range from self-hosted software programs to software as a service (“SaaS”) solutions. These applications allow you to remotely administer mobile devices, installing software, setting security features and remotely wiping data in the event that a device is lost or stolen.
When implementing MDM applications it will be particularly important to consider the data protection implications of its features. Regardless of the type of MDM application you have chosen, you should carefully consider which of the features are necessary in order to implement your BYOD program, as it is almost inevitable that you will be collecting and processing the personal data of your employees. Under the Data Protection Acts 1988 and 2003 it is important to ensure that such collection and processing is not excessive. For example, whilst many MDM applications allow for the collection of GPS data relating to mobile devices by default, businesses should consider whether collecting such information is strictly necessary to implement their BYOD policy.
If a business chooses to use a SaaS solution it will also be important to consider where the data that is collected by the MDM application is stored. The transfer of personal data outside of the EEA is restricted under Data Protection Acts unless certain conditions are met. Many of the leading SaaS providers are based in the U.S., and even if they are doing business through a local subsidiary this does not necessarily mean the data will be hosted locally. There are a number of ways of addressing the transfer of data outside of the EEA, such as through data transfer agreements based on the EU model clauses or if the provider is registered under the EU – U.S. “Safe Harbor” Framework.
The BYOD Policy should set out in a clear and comprehensive manner any rights which the business has to access data generated or stored on the BYOD devices. This is particularly the case given that employees will use the BYOD devices for their own personal purposes outside of work.
A BYOD policy should also set out in clear terms the employees’ obligations in respect of data security. This will include guidance on the responsibilities of the employee (eg setting secure passwords, only using work sanctioned apps, not logging on to unsecured Wi-Fi networks) and details of the features of the MDM application that is being used (eg the remote wipe facility). It will be important to get the consent of the employee to the installation of the MDM application, and particularly to the remote wiping of the device if this is implemented in a way that will impact on the employee’s own data that is stored on the device.