Available at a fixed monthly cost

Get your quote today

What we offer at a glance

  • Get an external data protection officer
  • Audit of your data privacy status quo
  • GDPR support for small businesses and large corporations
  • Personal contact person & individual support
  • Easier communication with authorities
  • 100+ experts from the fields of law, economics & IT

Don't trust us, trust them:

Jedox  Logo Contact Demodesk Logo Contact Elevate Logo Contact Canon  Logo Contact CBTL Logo Contact Alasco  Logo Contact RightNow Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact

Learn more about our prices & services

or call us now: (020) 36956 452

What to consider when bringing your own device to the office

Work securely, flexibly, and efficiently from anywhere: It’s all possible with tablets, smartphones, and laptops. Since employees are most familiar with their private devices and operating systems, it is ideal and most cost-effective for the business to integrate these private devices into the IT system of the business. However, for employees to have secure and mobile access to company data and for data transmission to comply with data protection legislation, a well-thought-out concept that is tailored to the company is required.

What you need to know, in a nutshell

  • The use of private devices in a company setting needs to be regulated by clear and understandable security concept.
  • The BYOD (Bring Your Own Device) concept must provide rules of conduct, access rights, and data protection requirements agreed upon by employees.
  • The use of the implemented software and IT resources is managed from a legal perspective together between the works council and the employees.
  • Device Maintenance , software support and security implementation must be the BYOD core elements.

In this article

What does Bring Your Own Device (BYOD) mean?

We refer to the Bring Your Own Device (BYOD) concept when a company allows their employees to access the company network via the employees privately owned devices, such as smartphones, tablets, laptops, or even desktop PCs. Usually this is involves a number of positive aspects, including cost-effectiveness and efficiency but it comes some security risks.

However, for the integration of private devices, companies need clear guidelines and policies to govern the BYOD concept, as well as relevant clausesincluded in the employment contracts.

What benefits does BYOD have for employees?

With BYOD, employees can use the device theyre already familiar with and dont have to learn the ropes of another operating system. This brings three significant benefits to employees:

  • The familiarisation period needed to use the device is omitted.
  • There is increased mobility if the devices are also used in the employees home-office setup.
  • Flexible working leads to increased employee satisfaction.

Last but not least, the number of mobile devices that employees must carry is reduced, for example, if the smartphone is used for both business and personal conduct.

What are the benefits of Bring Your Own Device for the company?

Even if the company has not implemented a BYOD policy, private devices are often used for work purposes, for example, to check e-mails or coordinate appointments. However, the company is usually not aware of the use of these private devices. BYOD gives companies a more transparent overview of which private devices employees use to access company data or company accounts.

  • Companies have more control over which devices are used by whom.
  • Employees who are familiar with their devices can work more efficiently.
  • Companies save on purchasing devices and dont have to deal with the assertion of warranty claims in the event of device defects.

Moreover, the load on the companys IT department is lessened because employees take better care of their private devices. Employees take better care of a device that belongs to them. Additionally, BYOD is used to adapt the work environment to the employees needs. Aside from higher levels of satisfaction, this also leads to increased productivity.

What risks are involved with Bring Your Own Device?

For companies that implement a BYOD policy, there is a high level of organisational and technical expenditure. As an employer, it is advisable to balance the management and the access of the content on the privately owneddevices, and the overview of the kind of software installed on these devices. The company can only integrate private devices into their company network if all security precautions are taken, for

  • Prevention of spying on trade secrets,
  • Impediment of know-how theft, and
  • Preparing the system for attacks.

The threat of malware, theft of a private device, and possible access by unauthorised third parties, must be taken into consideration. Appropriate precautions must then be taken into account to ensure that no contact data, call lists, or passwords can be read. Access by third parties could result in immense damage for your company, however, a clearly formulated BYOD concept keeps the risks at bay.

Step by step: This is the course of action when implementing a BYOD system

  • Analyse: Specify who has access to which data from which device.
  • Integration: Integrate all mobile devices into the security concept.
  • Access: Organise the protection, encryption, and exchange.
  • Regulation: Secure the use of applications and services.

 

What is helpful in managing mobile devices is Mobile Device Management (MDM) or, as advanced development, Enterprise Mobility Management (EMM). These management systems ensure that both the private mobile devices and the companys own devices are clearly coordinated. This enables you to have extensive control mechanisms and insights in line with the data protection principles, in order to prevent misuse of datnd data leaks a,unauthorised access, and data leaks, or at least, recognise them in case of emergency.

How can BYOD be implemented in compliance with data protection legislation?

With the management of the mobile devices in the company using an MDM or EMM solution, private devices are also reliably activated and secured. Since it becomes possible to access the users private information via the mobile device, companies must ensure that they comply with the Data Protection Act 2018, and the United Kingdom General Data Protection Regulation (UK GDPR). Please take note of the following so that employees consent to accessing their devices:

  • Private e-mails and private surfing behaviour fall under personal privacy and may not be viewed.
  • If the MDM is outsourced to a provider (Managed Mobility Service), the company is still responsible for ensuring privacy.
  • The employee must be consulted when implementing an MDM.

An MDM does not collect any personal data neither the e-mail address of the private device nor private contacts. The browser history and the frequency of use of certain apps are also not recorded. The MDM or EMM supports the division of business and private use, and primarily manages

  • device recognition and information about the operating system,
  • business phone numbers, e-mail contacts and messages, as well as
  • the apps installed on the device.

When is BOYD access to the company network secure?

Data security and protection against data loss are the most important items when enabling your employees to partake in the BYOD system. Employees usage of their private smartphone, tablet, laptop, or PC is prescribed in detail by the company. The following features are the foundation for secure access:

  • Two-factor authentication ensures a secure login.
  • Integration into the company infrastructure works via VPN encryption.
  • A security software checks apps for possible malware.
  • Separation between the device owner’s data and the company’s data. The employee should not be able to inadvertently or deliberately move the compnay’s data into their personal storage on the device or onto separate personally-owned devices.

In addition, logs identify possible attacks on a device and thereby recognise dangerous situations early on. Moreover, the IT department is responsible for ensuring that the operating system and the programs used are constantly updated and that the installation of a Patch Management tool bridges security gaps.

Despite all the measures,: there is no such thing as one-hundred-percent security, as the user also carries a certain residual risk. However, this risk can be minimised with robust technical and organisational measures.

How can business and private data be separated with BYOD?

To ensure an adequate level of protection as an employer, you must implement technical and organisational measures in accordance with the current state of the art pursuant to Article 32 of UK GDPR. One of the vital organisational measures should be a contractual agreement between you and your employees that regulates the clear division of private and business matters:

  • Unauthorised third parties (e.g. spouses, life partners, children, friends, and acquaintances) are not permitted to have access to company data.
  • The private data on the devices must be protected from access by the employer.
  • When the employee is traveling abroad privately, it must be ensured that security agencies do not have access to business data.

You have the following options to ensure that this is secured and that you as the employer can still use, edit, or delete company data:

  • Different operating systems are used by configuring virtual desktops. Use of the device for business purposes takes place via a VPN connection directly in the companys data centre.
  • The partitioning of the hard drive in the device enables separate storage of data and operating system. The business data are not combined with the private data.
  • A Container app prevents uncontrolled traffic of data. The data are encrypted and stored in a secure Container. Information cannot end up in an insecure application through copy-and-paste.

What are the responsibilities of employees and employers when using BYOD?

Employers must set clear standards on how private devices may be used for corporate purposes. The following employee responsibilities must be governed in the employment context:

  • The operating system must be updated regularly, because the updates for smartphones and tablets bridge security gaps.
  • Apps must also be updated regularly so that they do not become a gateway for malware.
  • Only the apps authorised by the company should be used for work tasks, since unauthorised apps carry a high data protection risk.
  • Security mechanisms must be established for open WLAN networks that are not necessarily secure.
  • The operating system configured by the manufacturer should not be modified, as this would make the file system open to attack.
  • Company data should only be accessed via a secured browser, as otherwise malware could infiltrate the system.

Which employees are suitable for the implementation of BYOD?

A BYOD solution is particularly suitable for departments that focus on communication, PR, social media, service or customer support. Since the employees of these departments often have to be very mobile, they are prepared to accept the various IT requirements to use private devices. IT specialists also value BYOD because they are especially productive and work well in the environment familiar to them e.g. Android or Apple.

What are the alternatives to BYOD?

It depends on the respective company, but check whether a CYOD solution is in principle easier to implement than the BYOD concept. CYOD stands for Choose your own Device and is a variant of the Corporate Owned, Personally Enabled (COPE) idea, which allows business devices to be used privately. A user selects the work device from the company pool and by arrangement, this device can also be used privately.

Conclusion

Introducing the Bring Your Own Device concept is complex because the legal and technical aspects diverse, however, the provision of a BYOD system offers your company many benefits contributes to a future-oriented image. The integration of private devices into the company network requires clear guidelines:

  • Data must be encrypted during transmission and on the mobile device.
  • Only authorised and updated apps may be used.
  • Private applications and data and business applications and data must be kept separate.
  • Access to networks and cloud applications must be protected.

Those who accept the strict policies in favour of a personalised work-life balance model will enjoy the BYOD concept and the more comfortable it is for employees to work, the fewer reasons there are to bypass security systems.

Interested in learning more about how to stay privacy compliant when employees bring their own devices? Feel free to reach out to our experts:Book an appointment

 

 

About the author

Robert Mäckle Robert Mäckle
Robert Mäckle

Schon bevor er Senior Datenschutzbeauftragter bei DataGuard wurde, spielte Datenschutz eine wichtige Rolle in der Karriere von Robert Mäckle: ob während seiner Zeit als Senior Berater bei einem Big Four-Unternehmen oder während seiner Tätigkeit im Bereich IT-Sicherheit und Prozessoptimierung. Heute betreut der Wirtschaftsinformatiker Kunden aus dem Tech-Bereich, darunter KMU, Startups sowie internationale Konzerne. Am Datenschutz reizt ihn vor allem die Herausforderung, digitale Geschäftsmodelle im Einklang mit datenschutzrechtlichen Vorgaben und IT-Security-Standards aufzusetzen. Was ihn bewogen hat, sich im Datenschutz zu engagieren? „Daten sind das Öl des 21. Jahrhunderts. Sie sollten jedoch auf eine Weise gewonnen werden, die sozialen und sicherheitstechnischen Standards genügt. Dazu möchte ich meinen Teil beitragen.“

Explore more articles