What's a BYOD policy when it's at home?

BYOD is a 'Bring Your Own Device' policy. And with ever more of us with devices constantly stuck to our ear and pressed firmly in our hand, employers need to be alive to the risks and benefits to their business of letting employees 'BYOD'.

By Emma Swan, employment partner , Taylors.

BYOD is a practice that allows employees to use personal mobile devices, such as smartphones, tablets and laptops, for business purposes. Many employers are attracted to allowing employees to use their own devices because it means they are able to work longer hours by interacting with the company’s IT systems outside of normal work hours.

However, it is important as an employer that you are not lulled into a false sense of security.

There are both legal and commercial risks that arise with BYOD and you need to consider the issues carefully before allowing the practice and if you do, make sure you implement a policy to help you maange it across your business if you chose to take this route.

Whenever there are new access routes to data, there are inevitably new security concerns and BYOD is no exception to this. As well as concerns associated with the loss or leaking of commercially-sensitive data, employers also have legal responsibilities around the security of certain data under the Data Protection Act 1998. The Information Commissioner’s Office has made it clear that these responsibilities apply “regardless of the ownership of the device used to carry out the processing”.

Employee responsibilities should be carefully addressed in a BYOD policy. Issues around misconduct, discrimination and confidentially that may arise where there is improper use of an employer’s IT systems are usually already addressed in an employer’s IT policy. However, a BYOD will need to consider further issues.

So what can you do to help control some of the risks to the budiness and develop a BYOD policy? Here are some of the points that you should consider:-
  • You should review your systems and take steps to minimise vulnerabilities before allowing the widespread use of personal devices. Once this has been done, devices should initially only be allowed on a trial basis, by reference only to a limited number of staff so that all of the various functions can be properly tested.
  • You should also vet the types of devices that you allow your employees to use and employees should only be allowed to use devices that are secure.
  • You should ensure that devices have a strong password and that they lock automatically if an incorrect password is entered. It should also be a requirement that your employees using encryption software to store personal data securely and that any data transferring will only take place through an encrypted channel.
Any BYOD policy will need to make it clear that any work data will remain the employer’s property.

The policy should also include a requirement that the employer’s data be deleted from a device if an employee either resigns or is dismissed.

One of the risks around BYOD is that it may be more difficult to detect or demonstrate that an employee has taken or misused commercially-sensitive information. The policy should include a requirement for the employee to hand over any personal device that has been used to access the employer’s information as and when an employee resigns or is dismissed so that the employer can check whether confidential information has been properly and permanently deleted. It is also important that, in order to enforce the BYOD policy, you are able to demonstrate that your employees were aware of the policy and they accepted the terms.