We wrote recently about the ownership of business contacts which are held in an employee’s personal social media account. However, there is actually a bigger threat to the control of business information.
A survey has been released by Ovum stating that 67% of employees who own a smartphone and 69% of employees who own a tablet use them for work purposes. This has made us think about the business implications of these practices. It could appear that this is an IT issue but, for us, any area that needs to be covered by policy is an HR issue!
1. Benefits of Bring-Your-Own-Device at Work
There are obviously benefits to both employers and employees when employees use their own devices for work purposes.
- From the employer’s perspective, they can see increased productivity and save money by not having to provide staff with devices.
- From the employee’s perspective, they don’t need to carry two different phones around with them.
Having employees use their own device can also reduce employee expenditure as they can charge some of the phone costs back to the company.
2. Lost or Stolen Data on Personal Devices
The biggest downside to employees using their personal devices for work purposes is that the company loses all control over how information is stored and protected.
Phones and tablets are easily lost and stolen, and the company would have no idea what information was on the device.
In reality, an employee may actually choose not to tell the employer that the device was stolen/lost. Therefore the company may be blissfully unaware that confidential information was in the hands of who knows who.
3. Data Protection Issues
Under data protection regulations, an employer has key responsibilities when it comes to managing and protecting data.
If a mobile device held personal data relating to staff or clients and the device were to be lost, then the employer would have a responsibility to report the breach to the Information Commissioners Office (ICO). The business would also need to demonstrate what steps had been taken to protect the data that has been lost.
In addition, many mobile phones back up to the cloud which can also prevent a challenge. Data Controllers have a responsibility to ensure that all data is kept within the European Economic Area. Therefore, if the cloud service used was US-based then this may breach this requirement.
4. Options for Employers to Prevent Problems
You could simply take the position that you don’t want your business data to be stored on personal devices.
Therefore, you simply tell people that they can’t use personal devices for business purposes. If this is the route that’s best for your business, you’ll need to be able to provide business owned devices if there is a need for your staff to be contactable for work purposes when they are outside of the office.
If you choose to allow employees to use personal devices for work purposes then, as with so many business practices, the first step to protecting your business is to ensure that you have a clear HR policy in place.
5. Bring-Your-Own-Device Policy Requirements
The policy needs to set out the requirements on individuals in relation to using their personal devices for work purposes. Some things that you should consider are:
- Registration – do you want staff to register that they are using their phone for work purposes?
- Lost or stolen procedure – what should staff do should the device be lost or stolen?
- Data Management – what will you be doing to ensure that your data is managed appropriately?
- End of employment – how will you ensure that all data is removed from personal devices at the end of employment?
The ICO has useful guidelines regarding bring-your-device schemes. We recommend that you take a look at this document.
Need support implementing a Bring-Your-Own-Device scheme?