Device use puts data control in spotlight

Firstly, the issue of control is vast, from control of operating systems, configuration, control device security and transmissions outside the firewall. The challenge is exacerbated because individuals are accustomed to installing whichever apps they wish and using the cloud backup service they like. This evolves into BYOA (bring your own apps) and BYOC (bring your own cloud) models which mean that uncontrolled company data and files can end up outside the organisation’s firewall.

Where BYOD models are implemented, the spectra of data handled by a company may no longer be in compliance with regulations for geographical regions or industry sectors. What’s more, employee privacy can lead to conflict between employers and their staff.

Organisations in the UK must ensure compliance with the Data Protection Act 1998, which imposes obligations on data controllers to process their data fairly and transparently and to take all appropriate security measures to prevent loss of personal data.

In essence, legal responsibility for protecting personal information lies with the company, rather than the individual owner of the device. The challenge, then, is to ensure that a robust security infrastructure is in place, without impeding the employee’s use of their own device.

The lines become increasingly blurred when trying to differentiate between the employee’s own and the organisation’s data, both stored on the same device. There is a difficult balance to strike – careless deletion of employee personal data, or accessing a device without proper authorisation, might be in contravention of regulations such as the DPA, Computer Misuse Act 1990 or employment practices codes.

Finally, in order to profit from the benefits of BYOD, organisations must implement an effective and coherent policy which safeguards company concerns and obligations, without limiting the employee’s own personal rights. The key elements of a BYOD programme should include the following.

Scope of Participation: Depending on the nature of the data handled by the organisation, it may not make sense for all employees to participate in a BYOD program. Those employees with access to particularly sensitive data or regulated data ought to use a company-controlled device.

Range of Devices: Because of the multiplicity of hardware and software combinations, especially on Android platforms, it can often make sense to include specific products in a BYOD programme whilst excluding others.

Consent to Employer Access: This marks a particular challenge across jurisdictions, as many national data protection rules discount the validity of consent from an employee, arguing that consent cannot truly be provided freely.

Security Rules: Essential to any BYOD program, regardless of other choices, is the inclusion of security requirements. Mobile device management tools facilitate the security of certain user profiles on the device, enable the secure storage of work-related data and files, handle encryption keys between the device and the company’s network, enhance the strength of user passwords and enable remote wiping of either work-related files or the entire device in the event of loss.

Departing Employees: In the event that a BYOD-participating employee leaves the company, regardless of circumstances, it is important for the organisation to have a process in place that includes removal of company data from the device. While company files such as e-mail attachments can be easily identified, distinguishing between company contacts and the employee’s personal contacts can be difficult, especially if the employee was responsible for developing and maintaining external relationships on behalf of the firm.

Financial allowances: Finally, companies will typically reimburse employees involved in a BYOD program, often through a monthly supplement to counter the cost of the wireless service plan. It will be important to consider the amount of reimbursement.

• Callum Sinclair is a partner with DLA Piper www.dlapiper.com