GDPR – bring your own device (BYOD)

Electronic devices such as smart phones and tablets have seen a huge rise in popularity over the last five years.

A significant part of this has been exponential increase in their available features and capabilities. The average smart phone can process larger quantities of data more quickly than a desktop computer ten years ago.

Many data controllers are faced with ever increasing demands from partners, employees, and even clients wishing to use these devices in the workplace to carry out their jobs. This might mean that individuals’ own devices are used to access and store corporate information, as well as their own. This trend is commonly known as ‘bring your own device’ or BYOD.

Permitting a range of devices to process personal data held by an organisation can lead to a number of benefits including improved employee job satisfaction, overall increased morale, increased efficiency and increased flexibility. However it also gives rise to a number of questions a data controller must answer in order to continue to comply with their data protection obligations both under the existing Data Protection Act and GDPR. Data held can include copies of emails and documents attached to them as well as files specifically copied to them for ease of access when out of the office.

The data controller must remain in control of the personal data for which they are responsible, regardless of the ownership of the device being used to carry out the processing. The breach risks associated with BYOD are significantly higher for the organisation because the BYOD user owns, maintains and supports the device. This means that the data controller has significantly less control over the device than they would over a traditional corporately owned and provided device.

The time and effort required to manage the risk is compounded by the large number and wide range of devices potentially being used.  BYOD must not introduce vulnerabilities into existing secure environments.

The controller will need to assess…

  • What type of data is held
  • Where data may be stored
  • How it is transferred
  • Potential for data leakage
  • Blurring of personal and business use
  • The device’s security capacities
  • The type of storage media on the device (for example, an easily removable memory card whose loss might go unnoticed for some time)
  • Multiple copies of data stored across a number of different devices will make it more difficult to comply with the GDPR requirement for data to be accurate and kept up to date
  • What to do if the person who owns the device leaves their employment
  • How to deal with the loss, theft, failure and support of a device.

The GDPR requires that the data controller to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

It is important that users connecting their own devices to your IT systems clearly understand their responsibilities. The starting point should be to audit the types of personal data you are processing and the devices, including their ownership, which you will be allowed to access or hold the data.

The best approach to take is to have an effective BYOD policy as by considering the risks to data protection at the outset, the data controller has the opportunity to embed data protection at the core of its business activities and to raise overall standards. For example, by specifying the types of personal data that can be stored on particular devices and which should not (say, the storage of sensitive data could be denied or restricted to devices with a high level of encryption). Some data will never be appropriate to be processed on a personal device.

Things which need to be included in a BYOD policy…

An Acceptable Use Policy to provide guidance on and accountability for BYOD behaviour. For example, if a device is used to access a cloud service and permits users to remain logged in between sessions, unauthorised access to the device could easily result in an unauthorised disclosure of personal data.

  • Clarity about which types of personal data may be processed on personal devices and which may not
  • How audit and on-going monitoring of compliance with the policy will be achieved
  • The measures that need to be taken to protect against unauthorised or unlawful access, for example if the device is lost or stolen. So, controlling access to the data or device using a password or PIN, or encrypting the data
  • The safe and secure deletion of the data throughout the life-cycle of the device, and particularly if the device is to be sold or transferred to a third-party
  • Guidance on how to assess the security of Wi-Fi networks, such as those found in hotels and cafes

In summary, the use of BYOD may have significant benefits but they are balanced by significant risks. Allowing their use needs to be effectively controlled and monitored to ensure that the data controller complies with the requirements of the GDPR.

Ian Cooley GDPR, Data Protection and Privacy Specialist at GDPR Advisors UK.

Related articles