A. Introduction: Bring Your Own Device
As we all know, BYOD is a working model which employees can use their own devices for work. Recently, we have come across with a significant research paper about ‘Bring Your Own Device’ (BYOD) model, its challenges and privacy. The researchers try to find out answers to these two questions:
“(1) How do companies deal with employees’ privacy concerns regarding the introduction of BYOD?”
“(2) What is the impact of employees’ privacy calculus of risks and benefits associated with the use of BYOD mobile devices on their attitude and in turn intention to use their private mobile devices for work?”
First question’s answer is built on the insights of two multinational companies where the work councils have concerns on intervening employees’ private lives due to BYOD implementation, whereas, the second question’s is answered by focusing on different cultures i.e Germany, United States, South Korea and conducting an online survey with 542 employees from these countries.
The findings show that in today’s world, employees request for more flexible conditions and working hours rather than 9 am to 5 pm which directs companies and organizations to adapt BYOD model. However, even though BYOD model has significant advantages for employees, it still brings up privacy concerns and organizational measures that employers should take not only for protecting the employees’ private life but also taking the control over their business information.
Working more flexibly is closely related to the BYOD issue because of the reasons mentioned below:
- Employees are not required to carry various devices along with them;
- Employees may choose devices according to their personal preferences which increase the employees’ working motivation.
In this article, we focused on ‘Bring Your Own Device’ model regarding privacy and GDPR. We will also scrutinize the matter by considering privacy concerns, employers’ obligation, employees’ rights and possible solutions.
B. Privacy Concerns on Bring Your Own Device
Although its employers’ duty to provide necessary devices and equipment for employees, they generally tend to use BYOD model since it has financial advantages, especially for SMEs, such as avoiding the cost of devices price of related services. Furthermore, BYOD enables increase in efficiency and motivation of the employees.
In spite of BYOD model’s financial advantages, there are still important privacy risks that have to be dealt with. It must be asserted that privacy risks concern not only employers but also employees, therefore, this is a grey and risky area in terms of the privacy law. At this point the potential risks for them are given below.
- From the employers’ point of view:
When employees use their own devices for work, many personal data including the sensitive ones may be processed through their devices. Consequently, fulfilling the obligation of data controllers -employer’s- regarding data protection is at stake. Especially, if the employer does not take necessary technical, organizational and also legal measures for security and privacy, such as adopting internal policies or implementing risk management processes. Since subject of BYOD is personal and private equipment, it is difficult for employers to control them especially considering the fact that they can be used by third parties like the spouse or relatives of the employee.
If employers are subject to GDPR, then the scope of the responsibility is even broadened. According to Article 17 of GDPR, data subjects may request their data to be erased (“right to erasure”) which would require data controller to access employees’ devices. This would get even more difficult if it involves a post-employment process.
- From the employee’s point of view:
Once employees use their own devices for their job, they actually give right to their employer to control the devices. This is definitely a necessary and fair action considering the fact that employers shall protect their business information.
On the other hand, employees also have their very own personal data on their devices and while accessing to these devices employers should be very careful not to violate employees’ privacy. This may go further as accessing the personal data, such as location data or internet traffic etc. and private files of employees.
Below, we have stated our recommendations for BYOD model considering both employees’ and employers’ benefits below.
C. Bring Your Own Device Policy & How to draw up the Policy?
One of the most fundamental actions for employers to take is to prepare draw up a policy for BYOD model. We have listed 4 important steps concerning the policy:
Step 1: Cooperation with employees, IT and HR departments
ICO published a paper about BYOD model and it says that the employer must assess the following issues in detail; type of data, storage location, transfer of data, potential risks for leakage, distinction between the personal and business use of the device, security measures like which apps are being used for the security, post-employment process and procedure for loss or theft of a device.
In order to make a comprehensive assessment, our first advice would be to organize meetings to overview the current situation, problems, risks, employees’ requests and other issues. Then, employers can work on the structure of this model considering solutions, costs etc. building on the first outputs.
We always claim that companies must be in a cooperation with their departments, and IT and HR departments are the front runners among others, for all compliance process related to the data protection. These departments has significant roles for internal measures because of the fact that their knowledge leads internal policies.
We believe that this is the first most important step for drafting the BYOD policy. Listening and taking notes in the first meetings are quite crucial to gain insight on the issues and to make a comprehensive overview on the situation. Then, the employer may start to draw up the policy by considering the real inputs from the employees.
Step 2: Outline Your Policy
Following the assessment meetings and consideration of the team’s inputs, employer should outline the policy.
- Defining Necessary Definitions (i.e. Mobile Device, Business Information & Private Information)
In a well-designed BYOD policy, the employer should define the necessary definitions. Even though employers may decide content of the policy, we still suggest the following terms to be defined in every policy.
- Business & Private Information:
Defining business information and outlining its scope is vital for distinguishing it from private information. Otherwise, employer may violate employees’ right to privacy. In the meantime, where the private information includes personal data of employee, this will also violate the employees’ right to data protection and in particular, if the case falls under the GDPR, the employers may face with intimidating penalties.
- Subjects of the Policy
The policy shall be binding for both current employees and former employees considering the fact that the former employees take their own devices with them while they terminate their contract. Therefore, post-employment period, the employer must ensure that all the business information including personal data if any, has been wiped and prior to the wiping process ‘employees’ personal information should be separated from the business information.
- Definition of Mobile Devices
“Mobile device” may be defined as devices, such as phones, tablets, laptops, smartphones etc. that provides mobility for employees and also devices that are used for storage like USB flash drives.
- Scope of the Procedures
Employer should define the scope of the technical and organizational procedures that will be carried out and inform the employees before they start to use their devices. This is especially very important for employers to fulfill their obligations as data controller. For instance, in accordance with GDPR, the employer shall erase personal data upon the request of data subjects, and the employer must be technically able to fulfill this obligation which may not be very simple if the relevant data is embedded in employees’ own devices or even more difficult if it concerns former employees’ device. Therefore, the employer should develop procedures, such as keeping data records or taking legal (i.e. implementing contractual clauses) and technical measures (i.e. managing and monitoring the data processes by involving internal technical teams for assistance; using inter-office programs integrated with employees’ devices). Certainly, the most effective measure here is to store little personal data on the employee’s device, if it is possible.
- Obtaining Employees’ Permission
Since the employer may be required to access or monitor the employees own devices, their permission should be obtained. It would be more beneficial for employers to get written permission in order to use it as a proof in case of a conflict.
- Whitelisting: The Applications (“Apps”) that Employees Shall Use on Their Devices for the Security
The employers should also determine the apps that the employees shall use on their devices for the security. This is quite important because personal devices of the employees cannot be controlled and restricted by its very nature. For this reason, the employer should provide security at least via applications. On the other hand, costs of these Apps are generally covered by employer or employees may reimburse their employers. As a result of this, expenses for ensuring security of BYOD model may surprisingly exceed -especially for the companies whose main business is related to personal data- compared to the potential expenses for providing company devices. In other words, sometimes purchasing Apps or using subscription-based Apps for each employee may be even more expensive than providing a company device.
- Blacklisting: The Apps that are generally banned by the Employers
On the other hand, some Apps may be banned by the employer considering the security issues. In this case, the employer should make a blacklist for Apps and add it to the policy in order to clarify this matter for the employees and also to avoid exception for any person, team or department. According to the mobile security firm Symantec’s ‘Enterprise Mobile Security Pulse Report for Q2 2018’, WhatsApp is the most blacklisted app for iPhones by the employers in BYOD policies due to its data leakage risks. A vulnerability of WhatsApp was discovered in May, and a company named NSO was accused of developing a spyware which causes data leakage for the App. This spyware was placing through a WhatsApp call – generally the user does not even see the missing call as it has been already erased- and the spyware can leach into your encrypted conversations. When this example is taken into consideration, banning WhatsApp is a necessary measure for BYOD model to protect business information and/or personal data.
Furthermore, Facebook which isalso the owner of the WhatsApp, is one of the risky Apps that can cause a data leakage easily. Therefore, Facebook and its messenger should also be on the most black-listed Apps. Additionally, the same report says that ‘The majority of Android apps that were blacklisted scored in the malicious range because malware was detected’.
All in all, it is important to follow up the new researches and reports of techsecurity companies and be informed about the latest news and to work with a good IT team.
- Employers should organize internal trainings periodically concerning BYOD model including device management, security, privacy etc. These trainings should involve each employee and their content should be updated in accordance with the technological developments.
- Public Wi-Fi or Always-on Bluetooth or Other Unsecured Networks
Employees should be warned about not to use their devices by connecting a public Wi-Fi or always-on Bluetooth or any other unsecured networks. In case of an emergency, the employees may have to connect to an unsecured network, and in order to be on the safe side, they should use VPN and powerful anti-virus program. Therefore, the employer should raise the awareness of the employees on this matter and add clauses to the policy regarding how to use the devices outside of the office.
- Liabilities, Rights and Disclaimers
In a comprehensive policy, the employer should define the liabilities -for both employees and employer- and disclaimers in details. For example, when an employer wants the employees to use a software for security, the employer must answer these two questions in the policy: “Who is responsible for purchasing that software?” or “Is there any reimburse procedure if the employee purchase that by its own?”
The employer should also determine the employees’ liabilities in details. As an example, if a data breach takes place due to the fact that an employee downloads a blacklisted App, the employee should be aware of the consequences of such this negligence or misuse.
On the other hand, the employer should regulate rights of the employees in the policy as well. For instance, employees may use their rights when their private information or personal data placed on their own devices is accessed by the employer without a valid cause. Additionally, stating disclaimers would be beneficial considering the potential negative results of right to control of the employer within the scope of BYOD model.
Step 3: Security Solutions for BYOD Model
- Mobile Application Management (MAM)
- Mobile Device Management (MDM)
- Enterprise Mobility Management (EMM)
In BYOD model, employers should implement some security measures to ensure that their business information and private data processed in the context of the business are in safe.
The employers should provide a private, members-only network for accessing or transferring data and for preventing public networks’ risks. This may be beneficial not only for BYOD model but also COPE (Company-Issued Personal Enabled).
As BYOD is one of the most-used working models and employers need to secure their business, they apply to Mobile Application Management (“MAM”). Mobile Application Management is the system which focuses directly to the security of Apps used on personal devices.
Sandboxing, an example to the solutions offered in the context of MAM, is often used by employers for security and it enables users to execute the programs or code in an isolated environment. Consequently, in case that an error occurs, it would not damage other areas or operating system of the device. Sandboxing many applications or using the currently sandboxed applications may be an efficient way for security. Coordinating with IT departments and adding a protocol to BYOD policy is crucially important for taking this measure properly.
Mobile Device Management (“MDM”) is slightly different from MAM. MDM offers security solutions for Apps, Wi-Fi, VPN, and enables to lock the device or erase information remotely etc. while MAM is used only for Apps. However, it should be taken into consideration that MDM solution may require monitoring employees’ own devices, therefore it is important to inform them and implement a MDM policy.
Enterprise Mobility Management (“EMM”) is an umbrella concept which combines MDM and MAM. Apart from that, Virtual Desktop Infrastructure (“VDI”) can be a perfect solution for BYOD model. Virtual Desktop Infrastructure “…is virtualization technology that hosts a desktop operating system on a centralized server in a data center.” Through VDI, employees can use a persistent or non-persistent desktop to access the business information and data so that the employees can split the business use and private use of the device, besides that the employers can control over the employees’ desktops. This system is not only a useful technology for BYOD model, but also has many benefits for the employees who generally work remotely.
Step 4: Privacy Impact Assessments
We strongly advise you to execute Privacy Impact Assessments (“PIA”) over workplace, implementations, measures, policies and other issues periodically. Privacy Impact Assessments is important to find out the mistakes, ineffective or inactive matters that can be patched or changed or to update procedures.
In the meantime, it should be noted that in case that the employer’s activities fall under the GDPR, making a periodic assessment to demonstrate compliance to GDPR in accordance with Art. 35 would be essential.
Recent technologies have entailed companies to use alternative devices and methods in workplace. BYOD model is considered as one of the most preferable and cost-efficient one among them – especially for SMEs- since it has benefits for both employers and employees.
On the other hand, as in the BYOD model employees use their personal devices, various privacy and data protection concerns and risks may occur. One of the most important one is that employers’ access to an employees’ devices for the business purposes, in such cases the employers’ actions may cause an infringement against personal data and private life of the employee and the employer may face with the criminal and civil actions according to the applicable law. Furthermore, business information that is stored on the employees’ personal devices may also include personal data of third parties such as customers of employers and it would be employers’ responsibility to protect such data. Therefore, it goes without saying that this model inevitably would bring employers additional obligations in accordance with the applicable law and particularly GDPR.
However, employers may eliminate potential risks of this model is by drafting draft a BYOD policy. As we point out in this paper, a comprehensive policy may be drafted by following 4 (four) fundamental steps which are (i) cooperating with employees and relevant departments (ii) determining the content of the policy and outlining it (iii) determining security solutions (iv) executing privacy impact assessments.
All in all, employers who want to benefit from the advantages of the BYOD model, should take the necessary technical, legal and organizational measures mentioned above, insofar as they are applicable, in order to avoid unexpected situations, such as data breaches, privacy infringements allegations etc.
Disclaimer: The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Att. Ayben ARIKAN
Att. Sinem GOCMEN UYARER