Can A Bring Your Own Device Policy Protect Your Business?

Since the rise in home working, staff working in the office on their work computers is no longer the norm. Nowadays, staff often use various devices to carry out their work, including their own laptops and phones. However, this comes with risks for employers, and as an employer, you must mitigate against those risks. This article will explore how a Bring Your Own Device Policy can protect your business.

What Are the Risks Of Staff Using Personal Devices?

Staff using their own devices for work purposes gives rise to various risks. This includes a loss of control over your company information compared to the level of control you would hold if staff were to use company-owned devices. 

Where your staff can access company information using their personal devices, risks include:

• data breaches if a device is accidentally left on public transport;
• security incidents where a device is subject to a malware attack; and 
• confidential or sensitive information being compromised or stolen.

Your organisation must not compromise on data security when allowing staff to work on their own devices. At the same time, there is a need to strike the right balance between data security and ethical issues around respecting staff privacy.

As an employer allowing staff to use personal devices, you should consider:

• what happens if a device is compromised or misused;
• how to deal with data breaches; and
• how you will deal with lost confidential information and trade secrets.

What is a Bring Your Own Device Policy?

It is common for employees to want to use their own devices to access their work emails and documents, mainly where they work from home. However, employers need control over how personal devices are used for work purposes to protect their systems and data.

A Bring Your Own Device policy is a policy that can help achieve this. This policy typically sets out:

• rules regarding the use of personal devices to protect the business systems;
• rules to prevent the business data from being lost or compromised; and
• circumstances in which the employer may monitor a member of staff’s use of their systems through personal devices.

The key aim of a Bring Your Own Device Policy is to ensure that devices used by staff are secure and there are clear rules for staff to follow when using them.

To implement a Bring Your Own Device Policy, you will need to consider:

• how you keep track of which devices your staff use to access your business data;
• what types of security you will require staff to install on their devices;
• how you will control access to devices containing business information;
• whether you segregate your business information from staff personal information; 
• what happens if a device belonging to staff is lost or stolen; and 
• what happens to a device when a member of staff leaves. 

Thinking carefully and planning before implementing a Bring Your Own Device Policy is essential. You will need to draft your policy according to the specific security requirements and risks for your business.

How Can A Bring Your Own Device Policy Protect Your Business?

There are several benefits to implementing a Bring Your Own Device policy. 

1. Ensuring Your Staff Understand Their Obligations

It is common for staff to want to use their own devices for work purposes. For example, they may want to use their personal phone to check work emails after leaving the office. The use of their own devices could help increase efficiency and staff morale, especially if employers can show that they are flexible and trust staff to use their own devices.

Nevertheless, staff must understand the rules that apply to them, and the policy can be used to set the expectations and standards your business requires. Having a thorough Bring Your Own Device policy means that staff have a source of reference to consult to understand the rules around how they can use their own devices for work purposes. 

2. Improving Your Data Security

Data security threats are among the most significant risks staff pose by using their devices for work purposes. Having a robust Bring Your Own Device Policy can significantly help improve data security, prevent security incidents, and reduce risk.

Training staff on your policy can help raise awareness and prevent data misuse, which could otherwise damage your reputation. For example, your Bring Your Own Device policy can:

• set requirements around password-protecting devices;
• implement rules on using anti-virus software;
• prevent staff from downloading company data without consent; and
• prevent staff from using public unsecured Wi-Fi to access company systems or documents.

3. Demonstrating Compliance With Data Protection Law Rules

You need to understand that if, as an employer, you are a controller of personal data – you will be responsible for your company’s personal data, even where it is stored on staff personal devices. 

Under the UK General Data Protection rules, businesses must demonstrate that they have taken appropriate measures to secure personal data. By implementing a robust Bring Your Own Device policy, your business will be able to demonstrate its compliance with data protection law rules.

Additionally, the UK data protection regulator, the ICO, clarifies in its guidance that data controllers are responsible for the personal data they control. If your organisation is a data controller, you will still be responsible for protecting personal data processed by staff. Therefore, you need to ensure you have clear terms in place to govern the use of any personal data your business controls when accessed on staff devices. For example, personal data relating to your customers or supplier’s staff can be accessed via their mobiles. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Key Takeaways

Staff using their personal devices for work purposes comes with various threats regarding data security and the misuse of business and personal data. By implementing a Bring Your Own Device policy, you can prevent risk in various ways. An effective Bring Your Own Device policy can help ensure staff follow strict rules when using their own devices, thereby mitigating risks of data security threats. In addition, a Bring Your Own Device policy can help enhance data security and demonstrate compliance with data protection law rules.

If you need help with a Bring Your Own Device policy, our experienced data, privacy, and IT lawyers can assist you as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.