Do not Let BYOD Bring Your Own Demise
Submit Articles Back to Articles
13 June 2013
The Information Commissioners Office (ICO) recently published
two items which highlighted the potential danger to small businesses
from the policy of allowing employees to use their own IT devices for
work related purposes.
This practice, commonly known as Bring Your Own Device or BYOD
has mushroomed in the last 5 years as employees have sought to use
their own smartphones, tablets and laptops for work. As well as being
almost impossible to stop, employers have rightly concluded that the
policy increases employee satisfaction and engagement. As a result BYOD
is being embraced by companies and their IT departments.
However allowing employees to use their own equipment for work
creates a number of potential problems for IT managers. These range
across software legality, network access, software support and the
issue of particular interest to the Information Commissioner; Data
Protection and Security. Giving employees access to regulated, and
potentially confidential, data on their own devices brings with it a
series of risks which could result in small businesses breaking the
law, or losing control of data vital to their success.
The survey, commissioned by the ICO with YouGov, shows that
nearly half of employees have used at least one of their own personal
devices for work purposes. Whilst e-mail is the favourite application
involved, 35% access work files and 14% connect to work
related on-line banking services. Yet despite this widespread use only
27% of these people have been provided with guidance on the work
related use of the devices, by their employer.
The ICO has used the findings of the survey to highlight itís
second publication. A report which provides guidance on what companies
need to consider in respect of data security and control when they
allow personal devices to process personal data for which they are
responsible. Whilst the ICO highlights the need to keep things in
proportion and not introduce counter productive draconian regulation to
govern simple data which will often be publicly available anyway, it
does make clear that it is the companyís responsibility to ensure
compliance with the Data Protection Act WHEREVER data is held.
In order to comply with their obligations small businesses
should firstly ensure that, if they allow BYOD, they have a clear,
written Acceptable Use Policy which should make clear what types of
personal data may be processed on personal devices. They should also
consider their need for a Social Media Policy as BYOD is likely to lead
to an increase in such use.
When drafting the policy, companies should address a number of
Where is the data held
In todayís connected world it is often unclear where data is
actually being held. Any piece of data could be:
- on the device itself,
- on an internal server,
- on a public network or cloud server,
- more than one of the above.
You should also remember that a lot of device based data is
now also automatically backed up to cloud based networks.
If your company is subject to increased regulation (such as
Financial Services) it is possible that the data in question must not
leave the UK which raises an additional raft of issues.
The means of getting the data onto the device and from there
to other users or to cloud servers is also important, as whilst much
data storage is encrypted, this is often not the case with data
transfer, particularly if public access wi-fi networks are used.
What happens after its no longer needed
Once the data is no longer needed it should clearly be
deleted, but this is not always as simple as it sounds. Data can easily
be retrieved after a simple deletion, so more secure deletion methods
should be considered. What happens when the employee leaves or wants to
sell the device? Steps must be taken to ensure that data on these
devices does not leave the companyís control.
With many devices it is now possible to physically track their
whereabouts and remotely manage and delete data from them. Whilst this
may assist in the process of data control, small businesses need to
take care that all these systems are enabled and kept enabled, in order
to work effectively, and they must safeguard employees against concerns
that their movements are being monitored for other purposes.
There are several other areas to be considered:
- The proliferation of data into new locations makes it more
difficult for that data to be tracked for the purpose of reporting or
deletion should the data subject require it, or if a FOI request is
- The easy availability of the data may make it more likely
to be used for purposes other than it was intended for, either by the
company or by the device owner,
- Despite all these listed concerns it may be possible to use
BYOD as a means to enhance company security by ensuring that high risk
data is kept on company networks and can only be accessed using secure
equipment, but enabling day to day company business to be carried out
on a separate more open network using BYOD.
So whilst Bring Your Own Device can introduce significant
benefits in terms of employee engagement and productivity it is an area
which creates itís own problems for both IT managers and data
controllers, and in case youíre thinking that this is just a load more
red tape, you should remember that the data held by your business is
one of itís most important assets and ensuring it does not fall into
the hands of competitors or criminals should be of primary concern to
You can access both the survey and the report on the Information
About the Author
John Norton, is a senior business and
finance professional with a big four, blue chip, software and
technology background, and board level leadership experience in
finance, IT, operations, customer service and general management.
He is owner of No Worry Web, which creates and manages small
business web sites and social media presence, for an all-inclusive
monthly fee. For further details see www.noworryweb.co.uk
or call 0845 5191 275. Authors Google+
Follow us @Scopulus_News