“BYOD is a ticking time bomb” warns data protection expert Martin Hickley

BYODAs many data protection, compliance, human resources and legal experts speculate as to the consequences that will be wrecked on all organisations as a result of the forthcoming EU General Data Protection Regulation (GDPR), there is widespread confusion across the web as to whether Bring Your Own Devices (BYOD) is still acceptable or whether organisations need to radically undertake a data protection impact assessment (DPIA) and change their internal policies as a result.

“Even though the law in this area hasn’t changed today, it would be foolhardy in the extreme for organisations not to carry out a DPIA as a precautionary measure given the massive data protection and security risks that allowing BYOD currently presents,” warns data protection and compliance expert Martin Hickley.

GDPR will replace a European-wide regime that was created by an EU directive in 1995 when the internet was still in its infancy and we didn’t have anything like the mobile technology we do today.

The dawn of smartphones came in January 2007 when Steve Jobs brandished a piece of plastic no bigger than a KitKat and proclaimed “this would change everything.” Eight years on, the Apple iPhone exemplifies the early twenty-first century’s defining technology.

Smartphones are now taken for granted and has opened up a new world of work where we are able to work equally effectively from the home as the local coffee shop as a result. Some studies have found that in developing economies every ten extra mobile phones per 100 people increase the rate of growth of GDP-per-person by more than 1%, for example, by drawing people into the banking system. WhatsApp was founded in 2009 and already handles 10bn more messages a day than the SMS global text-messaging system.

The phone is a platform, so start-ups can cheaply create an app to test an idea – and then rapidly go global if people like it.

The way in which mobile has become the centre of our connected world has changed work-life balance into work-life integration.

Mobile manufacturers have been quick to jump on this bandwagon and have been pushing the benefits of employees having their own devices that keeps them in touch with the office and more productive.

The mood music behind this surge in working ‘the way you want, when you want’ is why would organisations seek to supply every employee with a laptop or smartphone when they already have one? Wouldn’t knowledge-based organisations be missing out on cost savings?

If every employee already owns a smartphone and tablet (maybe several devices) why are organisations still buying employees a computer and smartphone when they join the company? That equipment then needs to be maintained, upgraded and replaced. Isn’t the money better spent improving internal infrastructure such as better security and collaboration tools to enable employees to work anywhere, anytime, on their own devices?

In this way the company can then take that money and reinvest it into tools that make that mobile worker more productive.

So will this get companies off the hook for getting caught in a spiral of escalating costs in investing in the latest technology and having to support this across the organisation?

As attractive as these arguments may appear, they are deeply flawed according to Martin Hickley.

“Cost savings aren’t comparable to the financial damage and reputational risk that can be incurred as a result of lost or stolen data and the security implications that a data breach entails. Data protection authorities (DPAs) are insisting that organisations must work to a much higher standard than at present and in the UK the ICO has just published guidance on this area and it makes interesting reading,” he says.

Under the existing Data Protection Act 1998, data controllers must ensure that all processing of personal data under their control remains compliant and in the event of a data breach, the data controller must be able to demonstrate that they’ve secured, controlled or deleted all personal data on a particular device.

The reality is the BYOD makes this almost impossible to police and the ICO guidance states:

“The underlying feature of BYOD is that the user owns, maintains and supports the device. This means that the data controller will have significantly less control over the device that it would have over a traditional corporately owned and provided device. The security of data is therefore a primary concern given that the data controller may have a large number and a wide range of devices to consider.”

Martin Hickley advises that companies should carry out an organisational DPIA that includes a review of the policy and procedures under which employees are permitted to use their own mobile devices for work purposes.

Specifically, data controllers MUST find out:

  • what type of data is held on BYOD used by all its employees
  • whether it is encrypted
  • where such data may be stored
  • how such data is transferred
  • what the risk is for data leakage as a result of BYOD
  • how can the company ensure that personal and business use of BYOD is maintained
  • the security capabilities and vulnerabilities for every BYOD used by employees
  • the policy for when an employee who owns a BYOD leaves employment having had access to personal and confidential information about the company’s customers/clients
  • how to deal with the loss, theft, misuse and failure of an employee’s BYOD
  • what support (if any) is offered by the company to help maintain a BYOD.

“When you start to run through that list you quickly realise that BYOD isn’t a way to save money – in fact, it’s potentially a nightmare that leaves the company massively exposed.

“For example, how can such devices be partitioned where personal information like photos of the employee’s children aren’t accessed by the company’s servers? And should an employee want to take a photograph of a PC screen displaying confidential information at the office, this image will be stored on the BYOD without any control by the company over its use whatsoever.

“Data controllers might be lulled into a false sense of security by thinking that the solution is an App that’s downloaded onto an employee’s mobile device where restricted data can only be accessed through this App.

“The trouble with that as a solution is that the employee may have downloaded other Apps on the BYOD that could be much less secure and could have security vulnerabilities where the employee’s mobile device could be completely hacked without them knowing this is happening. Such a scenario is a real danger for the theft and loss of personal data for which the company remains responsible. And under GDPR, there are significantly higher financial penalties for data breaches that will outweigh the cost of supplying a mobile device to every employee in the first place – which is still the most effective solution,” concludes Martin Hickley.

Leave a reply