Bring-your-own-device policies are widely lauded by the employees, who prefer working on devices they pick and own themselves. Employers would be foolish to object, since the increased productivity and decreased device procurement costs never cease to paint huge smiles all over the management’s faces.
However, the looming threat of data privacy and safety of personal information has been swept under the rug for too long. The General Data Protection Regulation (GDPR) will enter into force on 25 May 2018, and BYOD systems will have a tough time complying with its provisions.
Data, Data, Data
The GDPR requires that companies always be able to account for all personal data they have stored. They must have access to the data and document where the data is stored. Data transfers to third countries also require additional safeguards and permissions. This is extremely important for users of cloud-based services and webmail services that are often located in the US.
The GDPR does not care about ownership of devices with data. Compliance is mandatory. The implications of this are obvious. Data controllers are responsible for data, even if it is stored on the devices they do not own. It is time for a rhetorical question: Is it easier to delete a file on your own or your employee’s computer?
Then come the issues of employee privacy. Device management solutions that track the location and state of the device could conceivably be used to monitor the employees’ activities outside the working hours. (This is required in order to be aware where the data is and wipe the device in case of theft.) That, of course, is highly illegal.
Woes do not end there, though. Excessive data multiplication is an inherent safety risk, and the companies open themselves to fines in case a breach occurs. Speaking of breaches, they can occur very easily with poorly secured BYOD devices.
It is possible to keep everything on lockdown and only allow the devices to connect to a centralised server from a private network, ensuring nothing is being stored on them. One does not need a crystal ball to see that this would result in dissatisfaction and a severe drop in productivity. Working on the go is a major benefit of BYOD, but it would hardly be possible with such policies.
Shadow BYOD is something to be aware of as well. Employees often use unauthorised and poorly secured devices to connect to your company’s network (if they can) without you knowing. This is a huge risk, since you are still responsible for the data stored on these devices, even if you haven’t got a clue those devices existed!
It is entirely unreasonable to expect BYOD to go away. A majority of US companies now allow BYOD and its adoption in Europe has not stagnated. What needs to be done, therefore, is a risk-reduction policy. The risks will never be as low as when using dedicated company-owned devices, but the gains in productivity could very well be worth the increased data breach risk.
Simply put, you will have to develop a sound BYOD policy with help of your Data Protection Officer (DPO). Even if you own a smaller company, hire a DPO if you use BYOD.
Good Policies Are Essential
You should make BYOD policies your top priority for GDPR compliance. Consider investing in Enterprise Mobility Management (EMM) systems. These systems reduce the risks by running apps and storing data in dedicated company-only containers. They can also restrict the installation of potentially risky third-party apps.
Having access to this data is a priority, so you must ensure that company data can be wiped remotely. Encryption is also recommended. Consider not saving sensitive data at all, since the employees’ family members could easily gain unauthorised access to it. Offer swift and prompt support to users of BYOD devices and make sure they regularly perform security updates.
Education Is Key
All of the above should be codified in a BYOD policy that should be comprehensive and clear. Even if technical security is not an issue, employees are a major risk factor for data breaches. Perhaps it is even more important to educate your employees on the importance of keeping data safe and preventing data leakage.
List the apps that are allowed on a BYOD device and whether any websites are blocked during work time when connected to the private network. Inspect all the devices and preferably give security configuration tips to each employee.
Regardless of sound policies and good technical measures, the future for BYOD is very uncertain. With the fines being as large as they are – up to EUR 20 million or 4 percent of company’s annual global turnover, whichever is higher, there is little room for error. Therein lies the rub. Errors are more likely to occur with the use of BYOD devices, but if you are careful enough, you could reap all the benefits of BYOD while minimizing the potential risks.