Does your business risk violating GDPR by allowing BYOD?

The BYOD trend is becoming increasingly popular across organizations, but the question is raised as to whether it poses a risk to GDPR.
7 June 2018

Is BYOD a GDPR risk? Source: Shutterstock

The trend of bring-your-own-device (BYOD) has become increasingly popular among organizations.

A survey conducted by Censuswide for Thumbtel, has found that a quarter of senior managers and almost a third of directors use their personal phone for work purposes, while 37 percent of middle and senior managers use the same phone for both work and pleasure. This lept to 78 percent for business owners.

Allowing a range of devices to process personal data held by an organization comes with many benefits including improved employee job satisfaction, increased efficiency, and increased flexibility.

But this increased access to personal data also questions how the controller is able to comply with the new GDPR regulations that came into practice last month.

The GDPR requires companies to be accountable for all personal data they have stored, regardless of device ownership. Compliance is mandatory. Full stop.

Does BYOD pose a risk to GDPR compliance?

With employees able to access personal data on their own devices, this raised the question of whether BYOD poses a risk to GDPR.

“If your employees elect not to use their company-issued mobiles or you have a Bring Your Own device policy in place, it’s time to consider the implications of GDPR on your business,” said Andy Munarriz, founder and CEO of Thumbtel.

A study exploring BYOD adoption found that of the 72 percent of UK companies who embrace BYOD in the workplace, only 54 percent have adopted formal BYOD policies.

It is vital that the data controller remains in control of the personal information they are responsible for, regardless of the ownership of the device being used to process such data.

Good policies are essential

Users connecting their own personal devices to your IT systems must clearly understand their responsibilities in handling the data.

It is wise to perform an audit in order to understand the types of personal data you are processing and the devices – including their ownership – that you are allowing to access or hold data.

The best way to ensure compliance is to have an effective BYOD policy in place. Through the consideration of potential risks to data protection, from the outset, you can embed good practices into the core of your business activities.

A BYOD policy will provide guidance and clarity on BYOD behavior, as well as outline accountability. Things to be included in a BYOD policy include:

  • A clear outline of which types of personal data can be processed on employees personal devices and which may not.
  • The best way auditing and the on-going monitoring of compliance with the policy can be achieved.
  • What action needs to be taken to protect against unauthorized or unlawful access. This can include what measures need to be taken if a device is lost or stolen. The answer to this may be controlling access to the device or data using a password.
  • Ensuring that throughout the life-cycle of a device, deletion is safe and secure. This is especially important if a device is sold or transferred to a third-party company.
  • Guidance on how to assess the security of public Wi-Fi networks.

While BYOD brings various benefits to the workplace, they also pose a significant risk to data. Thus, for businesses who embrace BYOD, a strong policy is needed to ensure employees comply with the requirements of GDPR.