Bring your own device (BYOD) working has become very popular, and for good reason. With employees able to work wherever they wish, whenever they wish, it boosts goodwill, enhances productivity and helps businesses gain the edge over competitors.
However, there are data protection and security considerations you need to make as an employer if you are promoting BYOD working.
BYOD and Data Protection
BYOD working brings up numerous concerns under the Data Protection Act 1998. Because you don’t have ownership of the devices on which your data is held on, it is vital you think about potential scenarios where these devices might fall into the wrong hands.
Theft is a real problem, and so is hacking. With devices connected to your network and access to your data in effect open, robust antivirus and online security systems are obviously vital. So you have to consider, do you insist on your own choice of protection, or leave it to your employee to choose?
The Information Commissioner’s Office (ICO) has issued some very useful advice on BYOD working and the associated data protection implications which is well worth a read.
BYOD and Security
When you have outside devices linking in to your IT system you are effectively exposed to a host of security issues. A robust management plan is essential and you need to take time to consider how much of the setup and configuration you are willing to leave in the hands of the employee. Ideally it is preferable for the IT department to handle things like software installation and configuration, email account setup, device locking and encryption so you can be sure of consistency. However, you do need to balance this with management efficiency so you may decide to allow some of the more straightforward tasks to be undertaken by the device user. A set of guidelines will help keep this under some control.
The ICO recommends a ‘BYOD Acceptable Use Policy’ is put in place. Workers will find it useful to know how they are permitted to use their devices to process business data and how to keep this separate from personal material.
If you decide to monitor usage and record the location of devices using geo-tracking then you will need to officially inform employees as to how you are monitoring and ensure such monitoring does not infringe on privacy rights.
A policy on what happens to data and software on devices when a worker leaves your business is also very important and you may wish to consider making it the case that devices should be surrendered for clearing by your IT department when that happens.
If you are thinking about introducing BYOD working into your business, make a start with a read of the ICO’s guidance. Then consult with your HR and IT managers and legal advisers so you can all work together to get policies and systems in place to ensure you are well prepared for every eventuality.