Bring Your Own Device (BYOD) policies – what are they, and do you need one?

An increasing number of employers are finding that employees use their own smartphones, iPads, tablets, laptops and other devices to access work-related information.

Whereas a few years ago businesses tended to take a more restrictive approach and tried to limit access to devices owned or monitored by the employer, recently organisations are finding that there are benefits for everyone where employees are free to manage their workload flexibly with the devices that suit them best. 

However, while research [http://www.ico.org.uk/news/latest_news/2013/survey-guidance-on-byod-personal-devices-07032013] shows that 47% of UK workers use their own devices for work purposes, less than 33% of those people say have had guidance from their employers on doing this.

Those who have been given guidance have probably been given a Bring Your Own Device (BYOD) policy. Ideally, BYOD policies should sit alongside existing policies on usage of IT, internet, email, data protection and, where appropriate, social media.

There are of course risks to bear in mind when employees use their own devices – after all, the device is owned, maintained and used by someone other than the IT department, so the employer does not have the same control as it may be used to. The employee may not be the only person to use the device (their family may also have access) so that needs to be considered. There is also the potential for a blurring of the lines between personal and business use when it comes to things like social media postings made on the employee’s own equipment.

What BYOD policies set out to do is ensure that employees are clear on the employer’s rules for using their own devices, for example information security – such as what happens if an employee downloads customer data on a device which isn’t properly secured. An employer will also want to specifically ensure that it has a right to access and wipe data on any devices which may contain work-related information.

The popularity of BYOD has led to the Information Commissioner’s Office (ICO) issuing specific guidance on this issue. In particular, the ICO following points should be addressed:

• Specific Guide = [http://www.ico.org.uk/for_organisations/data_protection/topic_guides/online/~/media/documents/library/Data_Protection/Practical_application/ico_bring_your_own_device_byod_guidance.ashx]

• Ensure that staff are clear on what data they can and cannot use on their personal devices
• Strong passwords should be used to secure all devices
• Ensure that appropriate facilities are in place to wipe or preserve confidentiality of data if a device is lost or stolen

We work with several organisations who have BYOD policies and have found the arrangement to work very well – employee feedback shows that they feel that it has a real benefit. It does however need to be managed carefully to balance making the rules clear with ensuring that the approach is not so draconian as to put employees off using it!