The latest hot topic in terms of IT usage in the workplace is the increasingly popular "Bring your own Device" policy (BYOD). BYOD is aimed at providing employees greater flexibility in terms of how they work and where they work, and further aims to reduce costs for businesses in terms of providing electronic appliances. While the introduction of a BYOD policy may fit well into an employer's ethos and flexible working culture, the concept is not without risks and challenges. Primary concerns include data protection and data security, and ensuring that mechanisms are in place to deal with lost / stolen devices and what to do when an employee leaves employment. Accordingly, any business planning to introduce this concept should also roll-out a policy which addresses these risks.
A BYOD culture essentially allows an employee access Company data on his/her own device at a time and location that is convenient to him/her. An employer should devise its strategy and accordingly BYOD Policy (to allow employees access its systems) in conjunction with its IT Department. Issues peculiar to the system may dictate certain functionality or compatibility requirements for the proper performance of external devices on the system (i.e. Apple devices only). Additionally, obliging employees to submit the device to the IT Department before connecting to the system and making connectivity subject to the employee warranting to keep the software up-to-date with the recent software upgrades, may be essential for the on-going maintenance of the system.
The BYOD Policy when devised should address the following:-
Data Protection – The primary concern from a data perspective is the obligation on data controllers to keep personal data secure and to take "appropriate security measures" to prevent "unauthorised access…or disclosure" of the personal data. Assuming that employees can access personal data on the device (i.e. emails), if that device is lost or stolen, there is a clear risk of unauthorised disclosure / access of personal data. Additionally, an employer will have concerns relating to the confidentiality and security of its sensitive information.
Accordingly, a prudent employer should ensure the following:-
- All devices are password protected and encrypted;
- No data can be stored on the device, data is accessed via Cloud Computing (i.e. the data is stored on servers at remote locations and accessed through a web browser). Data mapping may also be utilised to keep track of where information is stored;
- Ensure that all devices can be wiped remotely when lost, stolen or an employee refuses to submit it to the IT Department to be wiped prior to leaving employment. A prudent employer will obtain the employees' consent to carry out remote wiping upfront as part of the BYOD Policy;
- Oblige employees to keep the software on the device up-to-date, or have the IT Department set up a command on the device that when the device is switched on it automatically searches for all necessary updates and updates itself accordingly.
- Personal Use – an employer should consider whether it is appropriate and desirable for it to separate business use from personal use in the Policy. This would essentially make it easier for the employer to manage and monitor the devices. However, it will be a difficult task to distinguish personal use from business use as the employee is using his/her own device at both work and presumably at home. It may be appropriate for an employer to keep the distinction vague and distinguish it as "time spent working" and link obligations arising during such time spent to its Internet and Social Media Policies.
- Process – A BYOD Policy should make it clear that submitting the device for approval by the IT Department is a pre-requisite to being afforded access to its systems. It should also outline the process to be followed when an employee is leaving employment and outline that remote wiping will occur if an employee neglects to follow such procedure.
- Ownership – A BYOD Policy should clearly address who owns the device i.e. it is the personal property of the employee, or the property of the employer if for example the employer provided an allowance for purchasing it. Depending on the owner, the Policy should also provide for what happens if a device is lost or broken and who is responsible for replacing or repairing it. If for example an employer decided to provide a technology allowance, it would remain the property of the employer. Accordingly, the employer could then decide in its absolute discretion to allow an employee keep the device if all Company data was removed and the device was submitted to the IT Department for wiping prior to the employee leaving employment.
Employers in certain sectors will undoubtedly be faced with making a decision on whether or not to allow employees bring their own devices into the workplace to ensure they remain in line with emerging practices. Employers who never before thought it relevant may be encouraged to do so by the cost saving efficiencies and flexible working opportunities that are associated with such a policy. The key to implementing such a policy is planning and to ensure that the IT Department plays an integral role in the drafting of a robust policy. The Policy must balance the employer's needs and also consider how to minimise the data protection risks. When these issues are considered and addressed, a BYOD culture should only increase productivity; decrease costs associated with maintaining IT hardware in the office; and enhance employees' work/life balance.