How to manage an effective BYOD policy
The digital landscape has been unrecognisably transformed from a decade or so ago. One of the the key trends to have come to the fore from advancing information technology has been the phenomenon of ‘going mobile’, driven by the explosive emergence of mobile phones, laptops and tablets – one which shows little sign of letting up any time soon.
Understandably, this has had an impact on people’s working lives, as it has facilitated far more flexible and mobile workforces.
Cue the rise of BYOD – that is, bring your own device – policies, in which workers are able to use their consumer technology for corporate purposes, with business applications such as those available from Canopy installed on devices alongside user-downloaded social networking apps and personal holiday snaps, for example.
However, while the idea of colleagues being able to use their own technology to do their job seems like a relatively utopic business proposition, it has not come without its pitfalls – chiefly concerns about security.
One of the key selling points for BYOD is the flexibility that it affords personnel. However, businesses – no matter their size – still need to be able to exercise an unparalleled degree of control over devices being used for business operations, whether or not they actually belong to the company.
The fundamental principle of a successful BYOD policy is that the data controller remains 100 per cent in control of all data and information – regardless of whether it is stored on a corporate-owned and supplied PC or on a tablet computer back at an employee’s home.
According to the ICO, there are eight key risks that a data controller needs to take into account. In order to roll out a secure BYOD policy, all of the following must be taken into account: what type of data is held; where data may be stored; how it is transferred; potential for data leakage; the blurring of personal and business use; the device’s security capacities; what to do if the person who owns the device leaves their employment; and how to deal with the loss, theft, failure and support of a device.
In terms of the law, however a company decides to run its operations, there are certain fundamental principles – enshrined in law – that must be applied across the board, whether you are a large multinational corporation or a small business in a rural village.
When it comes to security, the Data Protection Act is one such piece of legislation that outlines the key principles of ‘good information handling’. BYOD presents a problem, however, as the device – containing company data – is owned by the employee and not by the person who is actually in charge of controlling that data.
Companies can make sure their BYOD policies are watertight by ensuring personnel are fully versed and compliant with data protection legislation, so they don’t land themselves – and their company – on the wrong side of the law. This includes training staff about how to safeguard against – and what to do in the event of – loss or theft of devices, for example.
The fact of the matter is, for many companies BYOD could open a lot of doors. While it should not be introduced if it is going to introduce vulnerabilities into an otherwise secure environment, an effective policy could see employee job satisfaction boosted as they are able to enjoy an improved work/life balance, greater workforce productivity and increased flexibility of operations, to name just a few of the major benefits. But it must be done right, or else it could cause far more problems than it set out to solve.