What to consider when bringing your own device to the office?

What you need to know, in a nutshell

• The use of private devices in a company setting needs to be regulated by clear and understandable security concepts.
• The BYOD (Bring Your Own Device) concept must provide rules of conduct, access rights, and data protection requirements agreed upon by employees.
• The use of the implemented software and IT resources is managed from a legal perspective between the works council and the employees.
• Device Maintenance, software support and security implementation must be the BYOD core elements.

In this article

• What does Bring Your Own Device (BYOD) mean?
• What benefits does BYOD have for employees?
• What are the benefits of Bring Your Own Device for the company?
• What risks are involved with Bring Your Own Device?
• How can BYOD be implemented in compliance with data protection legislation?
• When is BOYD access to the company network secure?
• How can business and private data be separated with BYOD?
• What are the responsibilities of employees and employers when using BYOD?
• Which employees are suitable for the implementation of BYOD?
• What are the alternatives to BYOD?
• Conclusion

What does Bring Your Own Device (BYOD) mean?

We refer to the Bring Your Own Device (BYOD) concept when a company allows its employees to access the company network via the employees’ privately owned devices, such as smartphones, tablets, laptops, or even desktop PCs. Usually, this involves a number of positive aspects, including cost-effectiveness and efficiency, but it comes with some security risks.

However, for the integration of private devices, companies need clear guidelines and policies to govern the BYOD concept, as well as relevant clauses included in the employment contracts.

Find here our BYOD template to simplify this process.

What benefits does BYOD have for employees?

With BYOD, employees can use the device they’re already familiar with and don’t have to learn the ropes of another operating system. This brings three significant benefits to employees:

• The familiarisation period needed to use the device is omitted.
• There is increased mobility if the devices are also used in the employee’s home office setup.
• Flexible working leads to increased employee satisfaction.

Last but not least, the number of mobile devices that employees must carry is reduced, for example, if the smartphone is used for both business and personal conduct.

What are the benefits of Bring Your Own Device for the company?

Even if the company has not implemented a BYOD policy, private devices are often used for work purposes, for example, to check e-mails or coordinate appointments. However, the company is usually not aware of the use of these private devices. BYOD gives companies a more transparent overview of which private devices employees use to access company data or company accounts.

• Companies have more control over which devices are used by whom.
• Employees who are familiar with their devices can work more efficiently.

• Companies save on purchasing devices and don’t have to deal with the assertion of warranty claims in the event of device defects.

Moreover, the load on the company’s IT department is lessened because employees take better care of their private devices. Employees take better care of a device that belongs to them. Additionally, BYOD is used to adapt the work environment to the employee’s needs. Aside from higher levels of satisfaction, this also leads to increased productivity.

What risks are involved with Bring Your Own Device?

For companies that implement a BYOD policy, there is a high level of organisational and technical expenditure. As an employer, it is advisable to balance the management and the access of the content on the privately owned devices, and the overview of the kind of software installed on these devices. The company can only integrate private devices into their company network if all security precautions are taken, for

• Prevention of spying on trade secrets,
• Impediment of know-how theft and
• Preparing the system for attacks.

The threat of malware, theft of a private device, and possible access by unauthorised third parties must be taken into consideration. Appropriate precautions must then be taken into account to ensure that no contact data, call lists, or passwords can be read. Access by third parties could result in immense damage to your company. However, a clearly formulated BYOD concept keeps the risks at bay.

What is helpful in managing mobile devices is Mobile Device Management (MDM) or, as advanced development, Enterprise Mobility Management (EMM). These management systems ensure that both the private mobile devices and the company’s own devices are clearly coordinated. This enables you to have extensive control mechanisms and insights in line with the data protection principles in order to prevent misuse of data and data leaks, unauthorised access, and data leaks, or at least recognise them in case of emergency.

How can BYOD be implemented in compliance with data protection legislation?

With the management of the mobile devices in the company using an MDM or EMM solution, private devices are also reliably activated and secured. Since it becomes possible to access the user’s private information via the mobile device, companies must ensure that they comply with the Data Protection Act 2018, and the United Kingdom General Data Protection Regulation (UK GDPR). Please take note of the following so that employees consent to accessing their devices:

• Private e-mails and private surfing behaviour fall under personal privacy and may not be viewed.
• If the MDM is outsourced to a provider (Managed Mobility Service), the company is still responsible for ensuring privacy.
• The employee must be consulted when implementing an MDM.

An MDM does not collect any personal data – neither the e-mail address of the private device nor private contacts. The browser history and the frequency of use of certain apps are also not recorded. The MDM or EMM supports the division of business and private use, and primarily manages

• device recognition and information about the operating system,
• business phone numbers, e-mail contacts and messages, as well as
• the apps installed on the device.

When is BOYD access to the company network secure?

Data security and protection against data loss are the most important items when enabling your employees to partake in the BYOD system. Employees’ usage of their private smartphone, tablet, laptop, or PC is prescribed in detail by the company. The following features are the foundation for secure access:

• Two-factor authentication ensures a secure login.
• Integration into the company infrastructure works via VPN encryption.
• A security software checks apps for possible malware.
• Separation between the device owner’s data and the company’s data. The employee should not be able to inadvertently or deliberately move the company’s data into their personal storage on the device or onto separate personally owned devices.

In addition, logs identify possible attacks on a device and thereby recognise dangerous situations early on. Moreover, the IT department is responsible for ensuring that the operating system and the programs used are constantly updated and that the installation of a Patch Management tool bridges security gaps.

Despite all the measures,: there is no such thing as one-hundred-per-cent security, as the user also carries a certain residual risk. However, this risk can be minimised with robust technical and organisational measures.

How can business and private data be separated with BYOD?

To ensure an adequate level of protection as an employer, you must implement technical and organisational measures in accordance with the current state of the art pursuant to Article 32 of UK GDPR. One of the vital organisational measures should be a contractual agreement between you and your employees that regulates the clear division of private and business matters:

• Unauthorised third parties (e.g. spouses, life partners, children, friends, and acquaintances) are not permitted to have access to company data.
• The private data on the devices must be protected from access by the employer.
• When the employee is travelling abroad privately, it must be ensured that security agencies do not have access to business data.

You have the following options to ensure that this is secured and that you, as the employer, can still use, edit, or delete company data:

• Different operating systems are used for configuring virtual desktops. Use of the device for business purposes takes place via a VPN connection directly in the company’s data centre.
• The partitioning of the hard drive in the device enables separate storage of data and operating system. The business data are not combined with the private data.
• A Container app prevents uncontrolled traffic of data. The data are encrypted and stored in a secure “Container”. Information cannot end up in an insecure application through copy-and-paste.

What are the responsibilities of employees and employers when using BYOD?

Employers must set clear standards on how private devices may be used for corporate purposes. The following employee responsibilities must be governed in the employment context:

• The operating system must be updated regularly because the updates for smartphones and tablets bridge security gaps.
• Apps must also be updated regularly so that they do not become a gateway for malware.
• Only the apps authorised by the company should be used for work tasks, since unauthorised apps carry a high data protection risk.
• Security mechanisms must be established for open WLAN networks that are not necessarily secure.
• The operating system configured by the manufacturer should not be modified, as this would make the file system open to attack.
• Company data should only be accessed via a secured browser, as otherwise malware could infiltrate the system.

Which employees are suitable for the implementation of BYOD?

A BYOD solution is particularly suitable for departments that focus on communication, PR, social media, service or customer support. Since the employees of these departments often have to be very mobile, they are prepared to accept the various IT requirements to use private devices. IT specialists also value BYOD because they are especially productive and work well in the environment familiar to them – e.g. Android or Apple.

What are the alternatives to BYOD?

It depends on the respective company, but check whether a CYOD solution is in principle, easier to implement than the BYOD concept. CYOD stands for Choose your own Device and is a variant of the Corporate Owned, Personally Enabled (COPE) idea, which allows business devices to be used privately. A user selects the work device from the company pool and by arrangement, this device can also be used privately.

Conclusion

Introducing the Bring Your Own Device concept is complex because the legal and technical aspects are diverse. However, the provision of a BYOD system offers your company many benefits and contributes to a future-oriented image. The integration of private devices into the company network requires clear guidelines:

• Data must be encrypted during transmission and on the mobile device.
• Only authorised and updated apps may be used.
• Private applications and data and business applications and data must be kept separate.
• Access to networks and cloud applications must be protected.

Those who accept the strict policies in favour of a personalised work-life balance model will enjoy the BYOD concept, and the more comfortable it is for employees to work, the fewer reasons there are to bypass security systems.

Interested in learning more about how to stay privacy compliant when employees bring their own devices? Feel free to reach out to our experts: