New guidance on 'Bring Your Own Device' (BYOD) policies

If you allow your employees to use their own laptops, smart phones and tablets for work make sure you have read the new BYOD guidance from the Government's Communications Electronic Security Group.

In an ever increasing technological world and with a growth in flexible and remote working many businesses now permit employees to use personally-owned devices for business purposes under a 'Bring Your Own Device' policy ("BYOD"). A BYOD Policy can have significant benefits for organisations, however such permitted use also carries a number of risks.

So what are the risks to your business?

  • There is an inherent risk with personal devices that you lose control of the information stored on them. The fact that information is stored on a personal device does not excuse you from compliance with the Data Protection Act 1998. If the data is accidentally compromised, for example a mobile telephone is lost or stolen, you could be in breach of the DPA and depending on the severity of the leaked information you could face a substantial fine; the current maximum penalty is £500,000 (or higher for Financial Conduct Authority-regulated businesses).
  • The operating systems or software used on personal devices may have vulnerabilities that put data at risk. You should consider whether devices may be 'jailbroken' (a process which may remove some of the default security controls of an operating system) or what apps are installed. These can all create potential vulnerability in security settings of devices.

How do you protect your business?

Although you cannot have complete control of personal devices, implementing clear policies on BYOD as part of your staff handbook will help protect your business from the risks identified above. Here are some tips on what to include:

  • Make clear to your employees the need to maintain a clear separation between data processed for the company and the employee's personal information. Consider what information can be accessed from employees' own devices and whether to limit device access to certain data and services;
  • Make sure employees know exactly what data might be automatically or remotely deleted and under what circumstances;
  • Plan for security incidents - Register devices with a remote locate and wipe facility and have a process in place to quickly and effectively revoke access a device or user might have in the event of the loss or theft of a device. This will protect the confidentiality of information stored on personal devices;
  • Consider the use of encrypted channels to achieve maximum protection of any data transfers;
  • Limit the choice of devices employees can use to those which you have assessed as providing an appropriate level of security for the personal data being processed; and
  • Provide guidance to your employees about the risks to downloading untrusted or unverified apps.

A balance should be achieved between protection of company information and usability of devices; if policies are too restrictive and impact negatively on usability this may drive down compliance. Ultimately your policy needs to be effective, so consult with employees about the extent of the controls and encourage staff agreement.

If your staff handbook needs updating or you would like it reviewed then please contact our Employment Team.

Send us a message