Why BYOD in the workplace is such a bad idea

May 20, 2017,  EU General Data Protection Regulation, Henley Business School, News  One comment

With data security of all organisations under significant threat from external actors, all organisations need to review the security of processing personal data as a matter of urgency. And such reviews must include the use of Bring Your Own Devices (BYOD) as well as the Internet of Things (IoT) used in the workplace.

An employee and independent contractor engaged by the Data Controller, Joint Data Controller(s), Data Processor and sub-Data Processor(s) may well be using their own personal mobile devices, such as a smartphone or tablet, to process personal data of customers, clients, supporters and employees.

The practice of Bring Your Own Devices (BYOD) is endemic across all industry, business and professional sectors and unless such personal data processing is properly secured it will be seen as an aggravating factor in personal data processing and an infringement of the EU General Data Protection Regulation (GDPR).

In this blog, I’m going to discuss the technical and organisational measures required to secure BYOD and the growing use of the Internet of Things (IoT) in the data governance framework and what alternatives exist that should be considered by the Data Controller, Joint Data Controller(s), Data Processor and sub-Data Processor(s) in order to comply with the GDPR.

It’s such an important issue, given the vulnerabilities of organisations to protect themselves against hacks as we’ve witnessed with the recent global DoS and ransomware attack that shut down so many computer systems with devastating results for patients who were awaiting operations on the NHS in the UK.

Some of those organisations affected may be tempted to think a quick-fix solution is to get workers to use their own devices in the hope these devices would be more secure.

But this would be a catastrophic mistake.

What’s meant by ‘BYOD’?

The term of art ‘Bring Your Own Device’ (BYOD) refers to the use of a personal communication device for work purposes. For example, this would include an individual who has their own private mobile phone, laptop, tablet or similar device when working on behalf of the Data Controller or Data Processor.

The use of BYOD in a corporate context means the employee or contractor doesn’t need to carry and use another device specifically for work or business use.

For the Data Controller and the Data Processor, the use of BYOD presents a potential financial saving on equipment costs but crucially such a policy doesn’t take account of the inherent risks in processing personal data on BYOD or the level of sanctions and fines that could be imposed by the Supervisory Authority in the wake of a personal data breach involving such a device(s).

The risk of a personal data breach is further aggravated by the lack of technical and organisational controls over the use of a privately-owned device coupled with the lack of any responsibility for the Data Controller or Data Processor to maintain the software, operating system and applications that run on such a device.

For example, in the wake of personal data breach, the Data Controller or Data Processor will be powerless to lock down a BYOD in order to prevent further harm or damage to Data Subjects.

The use of BYOD also makes it more difficult for the Data Controller to assess the risk to processing personal data across the value chain and further complicates its ability to comply with the GDPR.

The same inherent lack of controls are typical for many new consumer technologies, where BYOD and the ‘Internet of Things’ (IoT) devices enable a much closer integration of a product or service into a user’s lifestyle with enhanced functionality and convenience.

For BYOD and IoT product and service providers, the benefit of this close integration is often a longer lasting relationship with the user.

However, given the data protection issues that such devices create, the use of IoT devices within a work environment will also need to be captured under a data governance framework, particularly when physical hardware is owned by third parties and not the Data Controller or Data Processor.

Protecting personal data in BYOD and IoT in the workplace

In protecting personal data for use in BYOD and IoT devices, the Data Controller and Data Processor should ensure the following happens:

• A thorough review that exposes all relevant risks of processing personal data on BYOD and IoT devices
• Create a governance framework to effectively manage personal data risks by enforcing the use of the technical and organisational measures to mitigate against the risks inherent in using BYOD and IoT devices
• That the Data Protection Officer (DPO) or senior manager responsible for assurance and compliance must police the operation of the technical and organisational measures applied to mitigate the risks in processing personal data using BYOD and IoT devices and report any discrepancies that arise as a result to the Data Controller or Data Processor
• The DPO must implement technical and organisational measures in order to prevent and detect data incidents as a result of the use BYOD and IoT devices in the organisation
• The incident management process must be able to respond to data incidents in an effective and timely manner in order to reduce the risk of harm or damage to Data Subjects as well as protect business continuity across the entire value chain.

All of these checks and balances must cover the whole value chain without exception. Any residual risks that aren’t within the established risk appetite of the Data Controller will prevent the processing of personal data at an acceptable level of risk and wouldn’t be compliant with the GDPR.

Key considerations before allowing BYOD and IoT in the workplace

In assessing the risk of using BYOD and other consumer technologies, the Data Controller and Data Processor should seek answers to the following questions:

• In processing personal data, what are the purposes and benefits that the use of a BYOD or IoT devices supports? Does the user of the device understand the impact and risk of using the device for processing personal data?
• How can the data protection principles (Art. 5, GDPR) be supported by the use of BYOD and IoT devices?
• Can and should consent of the Data Subject be obtained for processing personal data on the BYOD or IoT device? The potential offline nature of personal data processing on the device may not take account of changes in consent by the Data Subject and the lawfulness of processing personal data.
• Can the access restrictions on the device be circumvented or breached? In “rooting” the operating system of a BYOD, privileged access is obtained to enable modification of all aspects of the software.
• Is personal data stored on the BYOD or IoT device? Is that personal data encrypted? Is the cryptographic key stored on the device or elsewhere?
• What are the risks of shared use of the BYOD or IoT device? Is it acceptable that the personal data is disclosed to the other users of the device? Is access controlled appropriately? This could include family member use of that device.
• When using secure online processing, how does the organisation make sure that only authorised individuals can access and process personal data?
• What other applications run on the BYOD or IoT device? Will the other applications on the device be able to access or export the personal data beyond the control of the Data Controller or Data Processor?
• How is the BYOD or IoT device maintained, configured, patched and upgraded? How does this fit with the personal data risks around staff joiners, movers and leavers?

The response to these questions will help identify appropriate technical and organisational measures required to mitigaBYPte the risks to the rights and freedoms of Data Subjects, support the principle of Data Protection by Design and by Default (Art.25, GDPR) and protect business continuity of the Data Controller across the value chain.

Secure processing of personal data on BYOD and IoT devices is only likely to be achieved if the ultimate control of the processing is with the appropriate Data Controller or Data Processor.

Examples are:

• The use of online-only processing allows BYOD and IoT devices to act as a secure display of personal data whilst the actual personal data processing is performed under direct control of the Data Controller or Data Processor without the personal data having to be on the device.
• The use of asymmetric cryptography to allow for secure offline encryption of collected personal data on a BYOD or IoT device, but this requires direct involvement from the Data Controller or Data Processor for decryption.

BYOD currently in use

The lack of physical ownership and ultimate control of BYOD and IoT device poses specific problems in the management of personal data risk when devices get lost or stolen.

Under Art.5(1)(f), GDPR, the Data Controller and the Data Processor are under a duty to ensure that personal data can’t be disclosed to unauthorised users of these devices.

However, the Data Controller and Data Processor will fail to comply with such a duty where the loss or theft of the BYOD or IoT device goes unreported.

In addition, when the relationship with the employee or independent contractor comes to an end, the organisation won’t retain control over the BYOD or IoT device or any software on that device.

It will be necessary to ensure that all personal data risks of unauthorised disclosures have been mitigated against upon each and every last transaction performed on such a device.

Conclusion

Although BYOD and IoT devices will be popular with staff and independent contractors, they present significant personal data protection challenges to the Data Controller and the Data Processor.

It’s possible to implement a secure BYOD and IoT policy as discussed in this blog.

However, there’ll be very limited benefits of doing so because personal data shouldn’t be stored on a BYOD or IoT device and as a result, such personal data will need to be downloaded as well as retrieved as necessary. This will necessitate the Data Controller or Data Processor providing a secure and fast internet connection to access the personal data by the employee or independent contractor.

It’s worth remembering that under Art.4 (12), GDPR a personal data breach is defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.’

It follows that a BYOD or IoT device that hasn’t been wiped by the Data Controller or Data Processor and is still accessible by an ex-employee or independent contractor is reportable to the Supervisory Authority and as such can attract a significant sanction and fine.

We haven’t examined the upgrading of smart phones on a regular basis and how the personal data is transferred from the old to the new device, since one of the technical measures that forms part of the governance framework is to stop the copying of personal data.

But in organisations where this practice is prevalent, this presents another operational risk that needs to be resolved by the Data Controller and Data Processor.

On balance, given the inherent practical risks to personal data processing on BYOD or IoT devices, the Data Controller and Data Processor must proceed with extreme caution for allowing continued usage of such devices for work and business-related purposes.

For information about the GDPR Transition Programme at Henley Business School, click here.

Share the Guru...