Businesses trying to be GDPR compliant whilst allowing BYOD will face many complications2 min read

Allowing BYOD has its benefits, with the main benefits being the following:

• User familiarity with their devices, improving their work rate.
• Businesses, especially smaller businesses, not having to invest as much into hardware for their employees as they bring their own.
• Flexibility if the devices the employees use are their own then they will be able to work out of office easily.

However, allowing employees to use their own devices also has its disadvantages, with some of the main ones being:

• Costs being passed onto the employee. It does depend on the employee but some won’t like having to buy their own laptop for work. However, there will be those that would prefer to use their own laptop or phone at work due to it not being as restricted.
• Security, as the employees’ use their own laptops they will unlikely be restricted meaning there is a greater risk of their laptops being infected with malware. With business documents likely being stored on the laptop adding to the risk.
• Device disparity, as employees will likely own a range of differing devices it will add to the complexity putting secure mechanisms in place if any. One size fits all solutions will unlikely work.

A couple of months ago the NHS discovered that employees had been using their personal devices to share patient information via Snapchat. This was an alarming case of shadow IT, where there is no control or trace of the flow of data.

Challenges like what the NHS faced will need to be addressed if the BYOD policies are to work under GDPR. GDPR will bring huge fines for non-compliance so the issues like the following will have to be addressed:

• Which type of corporate data can be processed on personal devices
• How to encrypt and secure access to the corporate data
• How the corporate data should be stored on the personal devices
• How and when the corporate data should be deleted from the personal devices
• How the data should be transferred from the personal device to the company servers

If businesses put processes in place to mitigate against the above challenges they will then be faced with the challenge of making sure that employees abide by the policies. The complications that will come with being GDPR compliant while having BYOD policies might mean we see a reduction in employers allowing their employees to use their own devices.

If you or your business are concerned about the upcoming GDPR we have a tool that will help you discover your compliance posture. Find out more and register your interest here: http://www.cyreg.co.uk/

Sources

http://www.silicon.co.uk/e-regulation/governance/nhs-doctors-snapchat-216535

http://www.computerweekly.com/opinion/BYOD-data-protection-and-information-security-issues