Bring Your Own Device and GDPR: Balancing Compliance and Privacy
When General Data Protection Regulation (GDPR) came into effect in 2018, practices like Bring Your Own Device (BYOD) were almost unthinkable. How could organisations ever protect consumer data when stored on a personal device? How could they track those same devices without compromising their owner's data?
Now, it’s possible to balance compliance and privacy.
Companies can have it all. They can empower employees to embrace hybrid working while maintaining an acceptable level of governance that ensures sensitive and personal data is safe. Here’s how.
Understanding BYOD Risks Relating to GDPR
GDPR is more than guidance. Its instructions are legally binding and, if broken, can result in a fine issued by the Information Commissioner’s Office (ICO). Those fines can be as high as €20 million, equivalent to around £16.7 million or even higher if 4% of a company’s worldwide turnover is above this figure. Amazon is proof of this, being forced to pay out just over £622 million for its personal data breach in 2021.
Though the fine is relative to your company, that’s the problem. Fines of any figure are debilitating to the company in question, not to mention the reputational damage that comes with it.
Bring Your Own Device (BYOD), while a critical element of successful hybrid working, brings with it its own challenges. If not handled properly, BYOD could result in a GDPR fine.
Network Level Visibility
The ICO needs to know everything about organisational data, especially if a breach occurs, to investigate its origin. In most BYOD environments, this is impossible, with data being stored and shared without regulation and in many personally owned environments.
To get around this, organisations must put in place strict sharing and storage protocols and dictate a cloud environment where all information should be stored. It’s here that companies can draw the line between personal and business use, ensuring no records are kept outside of the network and no employee data is mixed into a company’s cloud.
Device Type and Use
‘Personally owned device’ is a broad term and can encompass anything from mobile devices to tablets, laptops, desktops and even smartwatches. The security of each device type and its make and model influence on whether it’s suitable for organisational use.
BYOD should never, in any circumstances, be rolled out flippantly without any rules around which work should be carried out where. For most organisations, smartphones and smartwatches are seen as less secure and so their policies may state that only tablets and laptops are accepted as appropriate for BYOD. The fine details are up to your firm, but you must do your research and put some restrictions in place.
Employee Intent
When adopting BYOD, organisations need to become more aware of possible attacks from internal sources. Instead of viewing cyber threats as a solely external affair, open up your mind to the idea of employee’s with malicious intent that could use BYOD to their advantage.
Although this seems like an unlikely event, you’ll need to identify and mitigate this risk, covering your back for the worst possible scenario.
Remember, even if you encounter an attack resulting from employee misconduct on an employee-owned device, you’re still held accountable for recovery and remediation. So, be mindful of the increasing opportunities to phish data when you hand over power to your people and up the importance of self-education and awareness around corporate security.
Knowledge can take you and your team far in juggling GDPR and BYOD. So, as 73% of large firm employees have had cyber security training in the last 12 months, so should any individual from your firm who is bringing BYOD into their every day.
Protecting Your Interests and Employees With BYOD Policy
Creating an ironclad BYOD policy is the only way forward to strike the right balance between BYOD and GDPR. It’s an exercise that forces us to identify the risks of adoption, including those listed above, as well as find ways to mitigate those risks and communicate the measures to the rest of the company.
It’s possible to champion personally-owned devices and control your cloud environment, but it’s a road that requires discipline, diligence and devotion to doing things the correct way — not just the most convenient way.
BYOD policies should be created and shared before storage and sharing are started. This gives employees and outsiders — stakeholders, insurers and investors alike — to get acquainted with the rules and prepare themselves for a safe introduction to more flexible working.
Having a Considered Approach to Hybrid Working and Going Further Than GDPR
Abiding by GDPR rules, remaining compliant and avoiding fines are just some of the challenges of a hybrid working model. A hybrid approach calls for a complete change in your digital environment and an overhaul of your processes.
When going out of office, there’s no better time to analyse your entire cloud environment’s performance to see if your settings are appropriate for the significant change in your business.
It could inform yet more new policies and help you create a few quick fixes that could save your company thousands of pounds and a few brownie points.
Luckily, we’ve created a complete Microsoft Cloud Assessment that you can access for free, all done by a Microsoft Certified Consultant. Click the link below to get started.