Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: Implementation series part 2 - Privacy and security considerations for BYOD

Bring your own device ('BYOD') is a concept that has received significant attention over the past two years as the world adopted - or at least considered to adopt - a model that would facilitate work during the COVID-19 pandemic. As encouraging as the model seemed at first, it became riskier and challenging once organisations started implementing and operating under it. Not everyone was ready for, or fully appreciated, the cyber threats and risks that proprietary data (including client data) was exposed to when a third-party unverified device gained access to a company's ecosystem. Despite this, it has become apparent that the BYOD is here to stay (with the right safeguards in place), providing organisations with an opportunity to resume or continue business as usual, and as smoothly as possible during the pandemic. Part 1 of the implementation series looked at deciphering data retention policies, with part 2 aiming to provide companies with practical steps to tackle different privacy-related administrative issues, as Grigoris Sarlidis, Senior Lawyer at A.G. Erotocritou LLC, discusses the risks associated with BYOD policies and steps that can be taken to avoid these.

Challenges and opportunities

To take full advantage of the BYOD model and address the challenges and risks associated with it, a company needs to perform an internal BYOD assessment exercise by reference to its own specific business needs and model, and consider the impact that BYOD practices may have on issues such as privacy, data security, and IT, in general. Arguably and perhaps obviously, the BYOD model may not be practical for every single business; however, where the size and services offered by the company and the industry that they operate in so permits or necessitates it, BYOD will certainly prove valuable.

Cons

A data breach is the most significant risk in relation to BYOD. Companies using a BYOD policy have to accept the fact that they will not necessarily have full control over the use of employee devices, whilst employees will have, through their own devices, access to data and information that is sensitive and/or confidential to the company. This, in itself, should be of great concern to an employer, particularly because, with the exposure of a company's ecosystem to the outside world, the chances for a cybersecurity breach are significantly higher. Consequently, this brings considerable risks, particularly with regards to reputational damage and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). With fines of up to €20 million or 4% of annual global turnover (whichever is higher) under the GDPR, as well as unquantifiable reputational damage, a BYOD policy will have to be as bulletproof from a data privacy standpoint as practically possible. 

In this regard, companies will have to develop and maintain the right infrastructure to ensure that their networks, systems, processes, and the devices of employees are (whenever used for BYOD purposes) shielded from unscrupulous activities and attacks, in full compliance with the GDPR. In particular, companies will need to be able to account for all personal data they have stored, and be in control of such data at all times. Pursuant to the GDPR, data controllers are responsible for such data, even if it is kept on devices which they do not own. Accordingly, the responsibility for the integrity and security of data stored on a device that is not the property of the company, will unavoidably extend to such devices (i.e. employee devices), regardless of ownership status.

Furthermore, with a BYOD model, a support system may not be in place to adequately address all issues, whether technical or otherwise, that may arise with regard to device usage. This is because employees may work through different devices, equipment, specifications, and operating systems, each one of which has its own inherent challenges and requirements.

Last but not least, another data privacy-related challenge that arises with the BYOD model, although not BYOD specific, is that of ensuring the confidentiality and security of information from a 'controls' perspective. In particular, introduction of the BYOD model, as the new norm in the working environment, may potentially lead to situations where employers find themselves unable to satisfactorily secure the integrity, confidentiality, and non-disclosure of company data, including sensitive client data. This is because such data may, whether intentionally or unintentionally, be stored on an employee's device and be exposed to risks post working hours, such as when the employee's device is used by the employee himself/herself or another family member for personal purposes.

Pros

The benefits of using a BYOD policy at the workplace can primarily be summarised as follows:

  • It is relatively common for employees these days to use their own smartphones and/or laptops for professional reasons (e.g. to access email accounts), whether or not their employer has implemented a formal BYOD policy. As such, a BYOD policy will not be unfamiliar for employees and employers will be encouraged to implement the same under such specific conditions and requirements, as the needs of the business may so dictate, taking into account the data security considerations (as set out below).
  • A BYOD policy provides employees with greater flexibility, which 'millennials' and 'generation Z' specifically value as being one of the key factors leading to job satisfaction. In turn, this can increase loyalty, productivity, and, ultimately, employee retention.
  • Companies are constantly seeking ways to reduce overhead costs and a BYOD policy can significantly reduce the costs spent on equipment and software, as employees will purchase their own devices. In addition to this, by combining BYOD with a remote working policy, a company can minimise its overhead costs even further, as this translates into less office space required and thus less rent. However, it should be borne in mind that not all employees may have at their disposal a device to work on, and hence, in some cases, the company may be required to acquire such devices.

Creating an effective BYOD policy

Where a BYOD policy is to be introduced, setting out a thorough and effective framework under which the BYOD policy shall operate is vital to ensure that the risks identified above do not materialise. In doing so, a company must firstly identify what it seeks to achieve with a BYOD policy and how the policy should be structured, having always in mind the data privacy challenges inherent in the BYOD concept. For instance, some key questions that need to be addressed are:

  • What types of devices does the company intend to facilitate work from (i.e. laptops, smartphones, tablets, or a combination)?
  • Will BYOD devices only be used for remote working, or will they also be brought into office premises and be connected to 'trusted' networks?
  • What tasks will the employees be allowed to perform from their devices?
  • What type of access will such devices be granted to the company's ecosystem, and under what terms and/or safeguards (e.g. secure access will only be possible where a device comes in range the company's premises)?

Furthermore, employee exits are also a significant consideration when setting out a BYOD policy. Clear guidance that clarifies the steps and procedures that must be adhered to when an employee separates from the company should be stipulated within the policy to ensure the smooth transfer of any data stored in the employee's device and deletion of such data.

Effective practical measures need to be put in place to maximise the benefits and simultaneously mitigate security risks associated with BYOD. In particular:

  • Ring-fencing software: Ring-fencing software can be one of the most effective measures when implementing a BYOD policy. In essence, this is a method by which part of a device is isolated into its own 'bubble', protected by a separate password and regulated by a different set of rules. As a result, keeping work-related data contained within one application, separated from the employee's personal applications and data, enables employees to enjoy full and unrestrained use of their devices without introducing any additional security threats to the company's network and also allows companies to have access and manage such data centrally without violating their employee's privacy.
  • Passwords and antivirus software: Password protecting computers and mobile devices should be mandatory. Also, to add an additional layer of protection, many companies institute regular password changes (every 90 days for example) and/or multi-factor authentication. Furthermore, antivirus software must be installed on every device. The company may opt to purchase a licence and install antivirus software on every BYOD device, or alternatively instruct employees to install their own software and then confirm with the IT department of the company that their devices are protected.
  • Blocked websites/applications: Blocking particular websites and applications that do not meet the company's security criteria and thus are considered to pose a risk to the security of the company is also an effective way to tackle the risks related to BYOB. However, it should be noted that this measure may be somewhat problematic if not implemented in conjunction with a ring-fencing software as this restricts the ability of employees to use their own personal device(s).
  • Training and updates: Employees should receive sufficient training with respect to the BYOD policy in place, security procedures, and the GDPR. Companies need to ensure that their employees are familiar with the risks pertaining to BYOD and fully comprehend their responsibilities. Moreover, all applications and operating software need to be updated as soon as an update is available to patch up newly discovered issues.

Conclusion

Despite the fact that the benefits stemming from a BYOD policy are irrefutable, the answer to the question of whether BYOD is effective can be somewhat blurred. This is because of the data security considerations involved and the challenges to implement a robust policy which safeguards a company's network from security breaches whilst preserving employee privacy and without inhibiting the ability of employees to use their devices in their own time. One thing is clear though - the conventional way of working is changing. BYOD and remote working are real and here to stay. It is therefore unavoidable for companies to adapt and invest in their BYOD policies and infrastructure to make sure that relevant risks are minimised (and, where possible, extinguished).    

Grigoris Sarlidis Senior Lawyer
[email protected]
A.G. Erotocritou LLC, Limassol