Encouraging your workforce to embrace technology can bring all sorts of benefits, but a key decision business owners need to make is whether to provide any electronic devices staff will be using for work, or to allow (or indeed require) employees to use their own – an arrangement known as Bring Your Own Device, or BYOD.
In fact ‘bring your own’ can go beyond actual physical devices, extending your IT infrastructure using your employees’ personal accounts on cloud storage solutions or other apps. As this extends beyond devices, it is now often known as BYOx, meaning Bring Your Own Everything.
At first thought it can seem a very attractive idea. Small businesses can save the expense of buying new phones and tablets, and employees don’t have to carry around multiple devices, or use technology which they are less comfortable with or doesn’t fit their personal preferences. It can have a positive impact on morale and job satisfaction.
But many bigger organisations have now moved away from the concept, as there are significant risks and concerns associated with allowing BYOD or BYOx. It may still be the right solution for your small business, but it’s important to be fully aware of the risks and take appropriate steps to mitigate them.
Fundamentally, the organisation is responsible for personal data held or processed in the course of business activities, regardless of who owns or maintains the devices being used to process the data. The employer is the data controller, and must therefore remain in control of personal data, which is clearly more difficult if the device is not owned, provided and supported by the organisation.
Data controllers must take appropriate measures to protect personal data it holds from being unlawfully processed, and against loss or leaks, and again this is more difficult when the business does not control the devices being used. Therefore before allowing BYOD, it’s crucial to assess what data you will expect employees to access through their own device, and consider whether the device has adequate security settings, and ensure that there is no risk that the employee might, for example, loan the device to a family member.
The convergence of life with work means that backing up the entire device has data protection implications, including possibly special categories of data, as many people use apps to manage many areas of their life, including perhaps medical conditions.
As with any technology, things can sometimes go wrong. Providing technical support for devices the business owns and controls is clearly much easier, and it is not advisable to offer technical support for devices owned by individual employees. Unless you are going to offer that technical support, you will need a plan for dealing with a situation where an employee is hindered in their work by a problem with their phone or tablet.
Linked to the data protection concern, you may find that in order to adequately protect data the individual will be accessing as part of their role, you need their device to offer a certain level of security protection, such as fingerprint or facial recognition, and you cannot guarantee all devices employee use will have those requirements, or will ‘match’ in terms of capabilities, therefore making processes for protecting data more complex.
Loss or theft
Loss or theft of the device being used for work is a significant risk, given the lack of control the organisation has over it. You may wish to look into tracking options or ‘remote kill’ capabilities, but again these are more difficult to insist upon if you do not own the device. You would need the employees’ consent, which realistically they are unlikely to provide, particularly if they are fully aware of the ramifications of a ‘remote kill’ in terms of loss of photographs or other personal information stored on the device.
It’s also important to consider what happens to the device upon termination of employment. Unlike a business-owned phone or tablet, the employee clearly won’t just hand it back, which may lead to issues about personal data stored on the phone, as well as commercial concerns if you are worried about losing clients or contacts and the employee is taking their phone number with them.
Clear policies and guidelines can help mitigate many of these concerns, but above all it is crucial to be aware of them, and to be certain you can adequately protect your business’s legal obligations and commercial interests before allowing BYOD. For further advice, do get in touch.