Data protection and bring your own device (BYOD)
How can BYOD be reconciled with data protection requirements?
When employees use their private devices, such as smartphones or laptops, as work equipment, it becomes complicated for employers. On the one hand, employees want to work on their familiar devices, but on the other hand, management is obliged to comply with data protection. However, this dilemma between practicality and compliance can be solved.
Bring your own device or Bring your own Desaster?
So what’s critical about employees having company data on their personal devices? Quite simply, the employer loses control over the company’s own data. While at first glance it seems like a good idea to allow employees to use their personal devices, on closer inspection it is not. With BYOD, private and company data become intermingled. In addition, the risk of data loss increases, since the devices are used much more in the private sphere (e.g.: during celebrations, trips, private visits from friends, leisure activities).
Since the employer is also responsible for compliance with data protection requirements, he must take appropriate data security measures. This means he must protect company data from loss or destruction. In this regard, it is sufficient if the employee has access to his or her e-mail account and can download attachments (customer and employee data, data from business partners) to the private device. At the same time, however, the employee has a right to confidentiality of his private data on his own device. The employer cannot simply permanently “screen” a smartphone that is not its property in order to ensure data security. In the end, rules of the game for use and technical solutions must be used so that BYOD does not become a disaster.
Data protection for mobile devices
The General Data Protection Regulation (DSGVO for short) has not changed too much for BYOD strategies. Nevertheless, a few changes to already existing regulations need to be considered. Data should remain within the employer’s sphere of control; this could be ensured if a virtual private network (VPN) connection is set up. This would allow employees to view data on mobile devices, but not store it on the devices. This method has the advantage that no company data would be affected if the device were lost or destroyed. However, it also has a disadvantage: editing in offline mode will not be possible. Especially for international teams or field workers, location-independent working is important and this often includes working from “on the road” with little chance of stable Internet connections. If this slows down productivity too much, other technical solutions should be considered.
Encrypted storage areas on the device itself offer another option. This keeps company data separate from private data and prevents it from being mixed up. If the company’s own applications are then also operated in this protected storage area, this is known as the “sandboxing” principle. Again, there is no interaction between the protected environment and outside the sandbox. If the company operating system and the company applications are operated separately from the private area, these solutions are known as “virtualizations”. This also allows the company to influence the up-to-dateness of the operating system and ensure that it remains secure. If two systems are operated on the device at the same time, this will inevitably have an impact on the hardware resources and performance (keyword: battery performance).
Regulations must be put in place to ensure that employees adapt their operating systems to their own company security. In particular, the prohibition of modifications to the operating systems, such as jailbreaking iOS devices or rooting Android devices. It is also important to think about the security requirements with which employees are allowed to log into the secured area. Biometric sensors such as fingerprints should be left out of the equation, as they are not reliable enough. The physical security of the device can be defined in more detail by means of a policy. Awareness training for employees makes sense as a supplementary and supporting measure, since they are ultimately confronted with the restricted use of their private devices.
Implementation of BYOD strategy
The better employees know about how they should behave in certain cases, the safer the use of BYOD will be. So, what points should now be regulated?
- Cost coverage in the event of acquisition or damage to the device, but also costs of SIM card use for telephony
- Approved device models, versions of operating software systems and applications (black/white lists)
- Custody rules (e.g. leaving laptop in the car, children playing with the cell phone, etc.)
- Assistance with device maintenance (setup, updates)
- Access rights and controls (remote deletion in case of theft)
- Obligation to report loss – note the 72 hours for reporting a data breach according to the GDPR (Or other Data-regulations)!
- Security requirements for passwords
- Consequences of violations of the usage policy (e.g., switching to a company device)
- Return of data when leaving the company or when taking a leave of absence
- Restriction of access authorizations
- Participation in training courses to increase security awareness
- Information about data secrecy, for compliance with business and trade secrets
- Supplementing the BYOD strategy in the list of processing activities
Conducting a data protection impact assessment
It is clear that the simplest variant means two devices for private and professional use, but the reality is different. In many cases, the implementation of a BYOD strategy will be costly and complex, but if it is implemented effectively, it can become a “win-win” situation for employees and the company. On the one hand, users can work with their familiar devices, while the existing risk can be reduced by means of a security concept.