MOUSER Helen NEW

As more employees look to work flexibly, "Bring Your Own Device" has seemed a great way to maintain business continuity whilst keeping staff happy and overheads down. However, it is not a risk free solution as a recent survey commissioned by insure2go highlights. Helen Mouser looks at the key issues and practical tips for employers.

Did you know that the famous economist John Maynard Keynes predicted in his 1930 essay 'Economic Possibilities for our Grandchildren', that improving technology and productivity would deliver the nirvana of a 15 hour working week? Well, unless all the Brexit talk has sent me slightly doolally, I am fairly certain that utopia has not arrived in my working week.

In fact, a recent survey commissioned by insurance provider Insurance2go has identified a growing trend towards a working culture of 'never knowingly out of the office' - fuelled by an increasing reliance on our personal devices – including mobile phones and tablets. According to the survey a staggering 62% of us are using personal devices to check emails outside of our normal working hours, with women statistically much more likely to log-on than men.

Putting aside the bigger question about our work/life culture, there is another question employers should be asking: is it safe?

For the security savvy amongst you this will be familiar territory: BYOD (Bring Your Own Device) will already have been for some organisations a dream that turned into a nightmare. The risk of open wi-fi networks, introduction of malware, data leaks and opportunist malicious employees abound. So how can organisations ensure a BYOD culture is safe?

The National Cyber Security Centre (NCSC), who provide security advice and support on behalf of the UK Government to the public and the private sector have for many years provided reliable and pragmatic advice on this subject which can be found here:

https://www.ncsc.gov.uk/guidance/byod-executive-summary

Although not updated since 2016 the key take away points remain equally valid today, including:

  • Creating a clear and effective BYOD policy clarifying organisational and employee responsibilities;
  • Limiting the information that can be shared by devices to protect your organisation;
  • Adopting technical solutions which help manage information flows between private and business;
  • Have a clear plan for managing security incidents including lost or compromised personal devices.

But what about GDPR?

A number of articles have been quick to point out following the Insurance2go survey that allowing employees access to emails and business data on personal devices may be in breach of GDPR.

The GDPR, when taken together with available regulatory guidance, opinions and case law, provides (amongst other things) a framework for 'good information handling'. What 'good' looks (and should look) like in the context of BYOD is dependent on a number of factors, including:

  • what type of data is accessible by the employee;
  • why, where, how frequently the employee needs to use a personal device to access data (i.e. is it for everyday use, or infrequent 'emergency' use?);
  • what level of security is appropriate to the data and the individual data subjects;
  • where and how the data is stored, transferred and shared;
  • available solutions to protect the data against loss, damage or destruction;
  • the individual device’s security capacities; and
  • how organisations can control the device.

As an organisation with data protection responsibilities, you must be able to demonstrate that you have balanced the benefits of a BYOD culture against the risks involved and, increasingly, it is critical to factor in the cost associated with ensuring the right policies, procedures and security measures are in place (so called 'sandbox' technologies are available, for example, but can be costly and in our experience can sometimes miss the mark in terms of delivering a 'silver bullet' solution to the BYOD challenge).

It's also worth mentioning here that GDPR brings yet another complicating factor in the context of BYOD. Even if and when you are comfortable that you've tackled the security risks associated with BYOD beautifully, you will need to be careful not to fall foul of rules relating to employee monitoring. Implementing security or monitoring technologies on personal devices can be relatively 'privacy intrusive' and, as such, should be subject to appropriate consideration, including an assessment of the expectations of employees and carrying out impact assessments where relevant.

But don't forget: it isn't just about protecting personal data. Losing business sensitive information, ideas and plans for world domination can be equally damaging when in the wrong hands.

It's clear that BYOD can bring cultural and cost benefits, but also risk. Organisations must properly evaluate their legal responsibilities and decide whether the risk is worth it.

For more information on this and other data protection issues please contact Helen Mouser, Senior Associate on +44 (0)1392 685238 or email helen.mouser@footanstey.com.

As more employees look to work flexibly, "Bring Your Own Device" has seemed a great way to maintain business continuity whilst keeping staff happy and overheads down. However, it is not a risk free solution as a recent survey commissioned by insure2go highlights. Helen Mouser looks at the key issues and practical tips for employers.