Last week, Apple posted the biggest quarterly profit ever made by a public company; a clear sign that the proliferation in use of mobile technology is not showing any sign of abating. With more employees owning sophisticated tablets and smartphones than ever before, businesses that perhaps once thought the Bring Your Own Device (BYOD) phenomena may go away, are facing continued requests from employees to allow them to use their personal devices for work purposes.
On the face of this, surely BYOD is something to be encouraged? Allowing employees to access their business e-mail account, contacts and documents outside of the office, means they can work remotely at any time of day. The parameters of the working day are stretched, which must in turn lead to increased levels of productivity. BYOD can also mean cost savings for organisations, if it is the employee (rather than the employer) that is purchasing the device the employee uses to staying in contact with work outside of core working hours. Whilst potential increased productivity and cost savings are enough for some businesses to embrace BYOD, others have also seen the practice as a useful tool to enhance employee wellbeing and thereby improve staff retention rates.
If the BYOD debate is so clearly one-sided, why are not all businesses jumping on the BYOD bandwagon? The answer lies in the fact that the potential benefits go hand in hand with increased security, data protection and managerial issues for employers.
Let’s take an obvious example. What happens if an employee leaves their mobile phone on a train on their way back from work? Clearly, losing a phone is no more likely to happen if an employee uses his phone for business and personal purposes rather than just personal use. However, the consequences of losing work, business contacts and other confidential data are so much greater if the device is used for business use. Or, what if an employee’s child accidentally uses his parent’s tablet to e-mail a key potential client? Are the consequences of this just embarrassing or could they genuinely jeopardise the business?
Very importantly, employers are data controllers under the Data Protection Act 1998 (DPA) and as data controllers, they have a duty to ensure compliance with the DPA in respect of data that is processed. Specifically, the seventh data protection principle requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. The employer’s obligations apply irrespective of who owns the device upon which the data is stored and it is all too obvious to see that the employer’s responsibilities become more difficult, where the employer is not the owner of the device.
Proceed (but with caution)…
The view amongst many organisations is that having balanced the potential benefits against the perceived risks of BYOD, it is an approach to be embraced, provided that it is managed in an effective way. Helpfully, at the end of 2014 the Centre for the Protection of National Infrastructure (CESG) published guidance for organisations that are both considering and already operating a BYOD approach.
In light of the CESG guidance and based on our experience of dealing with BYOD issues, the key issues that employers should consider in connection with BYOD are as follows:
- Create an effective BYOD Policy. BYOD policies are not new and whilst we certainly recommend that organisations have one, any policy will only be effective to the extent that it appropriate for the organisation and backed up with appropriate training, policing and technical support (see below).
- Training. Employees must understand their obligations when accessing company data from their own devices. What additional measures are they expected to take to ensure the confidentiality of the data? What should they do if they suspect a security breach? What constitutes misuse of devices and importantly what is the sanction if they breach any applicable policy?
- Policing. As with all policies and procedures, on-going monitoring of the effectiveness of a BYOD approach will be critical.
- Technical support. Employers should anticipate that employees may require greater IT support initially in respect of matters that arise when using their own devices. Compatibility issues of platforms and devices will need to be considered and thought given (amongst other things) to determining how the employees’ devices will obtain all the necessary updates they require.