21st March 2014
Smart phones and tablet computers have become increasingly commonplace with advancing technology increasing their available features and capability. Employees are also increasingly using their personal mobile devices for business purposes and, whilst this can no doubt benefit businesses by reducing the costs, there are a number of risks for employers. The issue is clearly high on the priority list of the Information Commissioner’s Office (ICO) which issued a press release in the new year encouraging organisations to have a clear Bring Your Own Device (BYOD) policy in the workplace.
Personal mobile devices are owned, paid for and supported by the user, rather than the business. As such a business will have significantly less control over the device than it would normally have over a company device. A business is responsible for protecting company data stored on personal mobile devices whether or not they are personal.
Businesses in favour of BYOD should consider implementing security measures to prevent unauthorised or unlawful access to your business’s systems or company data. To protect personal data from unauthorised or unlawful access, the ICO suggests ensuring devices are locked with a strong password and should use encryption to store data on the device securely. Additionally, mobile device management software is available which can allow a business to remotely manage the device.
Given the device is personally owned, users will also be much more reluctant to allow an employer to monitor their devices and if a business wishes to do so, it must, set out clearly why there is a business need and among other things ensure that it does not encroach during periods of normal personal use such as evenings and weekends.
In addition to these issues, the risk of loss or theft of the device is one of the most significant facing businesses. Loss of personal devises could lead to unauthorised or unlawful access to a company’s systems and confidential information. The ICO recommends businesses ensure a process is in place for quickly and effectively revoking access to a device in the event that it is reported lost or stolen.
Businesses should consider registering devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.
BYOD seems increasingly inevitable and with this, the risk of security breaches and data protection issues arising. It is clear that businesses as data controller are responsible for ensuring that all processing of personal data whether on a corporate device or a personal devices remains in compliance with the data protection legislation.
For further information about the ICO press release or BYOD policies please contact Fiona Moss on 01932 590 220 or email email@example.com or another member of the corporate and commercial team.
Sophie Banks considers the use of employee images for marketing purposes under the GDPR and DPA 2018, and what steps an employer should take to prevent complaints of unlawful processing of data in this situation.
Within this edition of Mundays Business update you will find legal articles that we hope you will find useful and help you understand when you might need to seek legal advice.
Fiona Moss examines the approach to exchanging business cards under the EU General Data Protection Regulation (GDPR)