For many, today’s workplace has blurred the boundaries between personal and professional lives. Employees are expected to make and take calls, check emails and respond throughout the day (and, in some cases, the night) and very often it is their own personal technology – mobiles, tablets, laptops, which is used to do so. Therefore it is essential there is a Bring Your Own Device (BYOD) policy in place.
BYOD policies need addressing
The trend towards BYOD has created a legal minefield both in terms of data security and compliance, as well as the impact on employees’ worklife balance.
Having a BYOD policy in place and providing training for staff, will help ensure all employees understand their responsibilities when using their own devices for work purposes and guarantee all risks are addressed and managed effectively.
Key questions organisations need to consider include:
- Data protection and monitoring
- What happens if there is a data breach and who will be liable
- Is data only available to those authorised to see it
- Is data being backed up to protect from loss or damage
- What happens when a member of staff leaves or is suspended
- What applications can staff use
- Are devices locked with strong passwords and/or encrypted
- Are there restrictions on use of public wi-fi hotspots
It’s important to note that the legal responsibility for protecting other people’s personal information is with the data controller, not the device owner, therefore it is organisations who are vulnerable if there is a breach of security or a device is lost.
Given that fines of up to £500,000 can be imposed by the Information Commissioner’s Office (ICO) for serious data breaches, it’s a matter not to be taken lightly.
If the worst does happen - and there have been various high profile cases – and an individual leaves a laptop in a taxi, or has a mobile phone stolen, businesses should have plans in place to quickly and effectively revoke access and remotely wipe sensitive data before it gets into the wrong hands.
Similarly, risks need to be managed in terms of devices using cloud-based storage, where the automated back-up can lead to data being shared unintentionally with other users.
In addition, whereas previously an organisation would no doubt have an in-house preference for particular operating systems or technology, the vastly differing number of personal devices now being used also necessitates a change of thinking, not to mention increased levels of IT support.
Any security controls previously applied to corporately-owned devices now need to be applied to personal devices too and the downside is that this can lead to issues of trust between employees and IT control.
The question of worklife balance is another issue – not all employees actually want to be connected to their devices 24/7. Although BYOD can increase productivity, it can also be detrimental to an employee’s health and wellbeing, especially if they feel under pressure to work from home in the evenings, on weekends, or even on holiday.
Of course, others may prefer to stay in touch so they can address issues as they go along, rather than storing up problems, so there is no one size fits all solution.
Where possible, we recommend that organisations give employees a choice about accessing emails and taking calls away from the office, especially at times such as holidays or Christmas.
In summary, the potential pitfalls of today’s trend to BYOD are many and varied. Although IT and HR departments share responsibility in terms of having the right policies and training procedures in place, ultimately it is down to individual employees to exercise care.
Organisations need to be able to demonstrate that they are addressing the issue and are prepared if the worst does happen.
Failure to do so could result in a very expensive mistake.