BYOD policies have taken off in the last decade, in line with increased worker demands for flexibility. The benefits go both ways: workers are happier and more productive, while the company saves money on device purchases.
Still, BYOD devices present major security and privacy risks that companies must adequately respond to. But these issues are only the top of the iceberg. Namely, future privacy regulations could wreak havoc on the current BYOD strategies that simply are not up to par with state-of-the-art laws. In this article, we will outline the best practices that can help your company ensure compliance with the new regulations, but our advice still stands – tread carefully.
The GDPR
The General Data Protection Regulation will supersede the Data Protection Directive on 25 May 2018. It is a markedly updated piece of legislation that aims to bring the legal environment in line with the current technological developments.
Several conditions for data processing have been restricted, and ensuring transparency and accountability have been the key goals of the lawmakers. Data safety and preventive measures are also extremely important, and companies will have to prove their data handling policies reduce the risks of data breaches as much as possible.
The GDPR stipulates that the data controller must be in control of the data at all times, which can be difficult to ensure if the said controller does not own the device where the data is stored.
This does not play well with BYOD policies, as they are inherently risky and, in fact, it is unclear whether such systems in their current form can be considered GDPR compliant at all. In the next few paragraphs, we will evaluate the potential concerns arising from this practice.
Data Storage
The best way of ensuring data security and reduce the risk of data breaches and leaks is to save as little personal data on BYOD devices as possible.
If personal data is stored, mobile device management tools should be used, along with a sound BYOD policy – and possibly, a social media policy if such use is frequent. When properly implemented, these tools reduce the risk of data loss thanks to encryption and access controls. For example, data can be stored on the employees’ devices, but access can be password-controlled or disabled completely unless the device is connected to the company servers.
Data is best stored on internal memory of the devices. The loss of removable cards can be difficult to detect, and due to a small physical size of these memory cards, they are often impossible to recover once lost.
Data Transfer
Company BYOD policies should restrict excessive data transfers, as this is the best way to lower the risk of a breach. Unsafe practices should be forbidden: public Wi-Fi, always-on Bluetooth or unsecured data transfers via USB keys, especially if the data is sensitive.
Public data backup and transfer services (Dropbox, Google Drive, etc.) should not be used if possible, especially if the risk of data access by third parties has not been taken into account. These servers may be located in non-EU countries, which would require special impact assessments and the fulfilment of additional constraints relating to cross-border data transfers.
If your company opts for the use of these services, the possibility of such transfers must be disclosed to the users and the employees during the process of obtaining consent. In any case, encrypted communication between the devices and the server is crucial.
Data Security
BYOD devices are not exempt from the requirements that other company devices have, regardless of ownership. Any processing must be secure, and no apps or updates should introduce vulnerabilities that could lead to data leaks.
Restricting the installation of third-party apps and forcing secure device settings is a huge leap towards data security and compliance. Modern management suites can also remotely delete work data if the device is lost, or when not required anymore without user intervention. This is important if a company receives a deletion request.
IT departments should provide as much technical support as possible. If the device needs to be sent for warranty repairs, wiping it clean is best practice.
The best practice for working with data is to work with BYOD devices that are remotely connected to the enterprise platform. When employing these systems, data is then transferred only on-demand, and not retained on the device.
Employee Privacy
Even though data leakage by employees gets the most attention, companies should be careful to protect employee data as well. It is their legal requirement, after all, and plenty of employee data they collect is considered particularly sensitive.
As stated above, while companies often approach the problem of both work-related and personal data by ring-fencing data, attention must be paid do ensure the employees’ data is not inadvertently accessed by the company servers and dedicated apps.
Their data is often not encrypted nor protected, and as with all data, their consent must be obtained before collecting it!
As well as overt data access, other, less obvious data is collected. Since it is in the company’s best interest to ensure safety and security of devices, the tools used for that purpose are very comprehensive. They often track the users’ location, usage patterns, and internet traffic.
This can pose a serious privacy risk for employees who use their devices for personal purposes after work, since the data can be used for monitoring purposes. The practice of workplace monitoring is controversial and highly regulated under the EU Member State laws, so be extra vigilant.
The employees’ family members can also use these devices. If they are being tracked – unknowingly – this can be a grave privacy violation. Companies must make sure to notify their employees of such a possibility, if it exists.
Data in the cloud? Better hope for a good forecast.
Record-keeping
Since a company should at all times be aware there their data is, BYOD devices add an extra layer of uncertainty. Consider the requests for data from individuals: a company has to produce all data it has on hand on the said individual.
It may be difficult to be aware of all the devices containing the data in question, which is in itself a security risk – but also a violation of the GDPR. Excessive multiple copies of data not only increase the risk of breaches; the risk of accidentally putting that old, potentially inaccurate data in use markedly increases. If the user has updated their data, that is also a serious violation.
Excessive backups also create issues with data retention policies. Under the GDPR, data cannot be retained for longer than absolutely necessary, and should thus be deleted. Thus, good record-keeping practices – coupled with limiting the number of devices that have access to data – is a good way of mitigating such dangers and demonstrating compliance.
The Human Factor
Employees should undergo regular privacy trainings and workshops. Even the best technological measures cannot help with exposure of personal data due to negligence. The clear message that personal data is sacred should hit home clearly. Most workers are not malicious, they just do not see nor understand the importance of good practices.
The risk that data collected for one purpose will be accidentally used for other purposes increases with the number of separate devices the data is stored on. Some employees may be unaware of the restrictions and process the data in unlawful ways.
Even more innocuous use cases can present major risks: photo snaps at the office could accidentally contain confidential company information that could be left exposed if shared on social media or accidentally e-mailed or pasted in IM apps to unintended recipients. Granted, this is not of concern for the GDPR, but what if personal data were on the line? Then the company is facing huge fines – up to EUR 20 million or 4 percent of its global annual turnover.
BYOD: Fine After All?
Overall, it seems that BYOD does not fundamentally change the requirements for compliance. The GDPR does not much care about whose devices those are – it cares about data safety and security only.
But you should care, since the ownership of the devices matters a lot when they contain data you are responsible for. The GDPR treats data on office PCs and servers the same as on employees’ BYOD phones – now consider where you’d rather have your sensitive data.
This highlights the glaring issue with BYOD: it is doable, but the steep safety requirements make the implementation cumbersome. In turn, you might find out that the cost savings of BYOD are not exactly as huge as you might have imagined it, when you factor in the increased costs of IT staff and solutions.
What does remain, however, is increased productivity and worker satisfaction. The final decision should be reached with guidance of your data protection officer, who should certainly be hired for projects of this magnitude even if the company is not legally required to do so.
Conclusion
Whichever road you take, make sure to always be able to demonstrate compliance. Good record-keeping is imperative the more devices are used, especially if they are not always present on company premises.
All processing should be GDPR-compliant at all times. Data privacy impact assessments can help in determining what data is best not shared with BYOD devices – the potential loss of productivity is outweighed by the financial catastrophe that data breaches result in.
