BYOD and the Data Protection Act
By Stuart Janicki • 14 May 2013
Safeguarding data from exposure and loss is vital in any business environment.
As more employees use their own devices for work, companies have to consider how to protect data from new threats and risks.
What is bring your own device?
Bring Your Own Device (BYOD) refers to employees using their own devices, such as smart phones, tablets and laptops within the workplace.
BYOD is a growing trend amongst employees and management who feel their own devices are more technically advanced, preferred or enables them to work outside the office environment.
For organisations BYOD reduces the capital expenditure associated with hardware refreshes. Employees are also kept motivated with the ability to work freely.
What does the Data Protection Act say?
Whilst BYOD brings productivity and motivation benefits, the law concerning the protection of personal data still applies and must be considered.
The law governing the protection of personal data was established with the Data Protection Act 1998. This act states eight principles for data protection that must be adhered to. With BYOD, the most crucial of these is the seventh:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
This means that data must be protected and kept secure. It is the duty of the company to do so.
The Information Commissioner’s Office is responsible for upholding information rights in the public interest. It has the power and authority to govern and fine organisations when the DPA is breached. Over the last twelve months the worst cases of breach have carried fines of £150,000, £250,000, £300,000 and £325,000. The most common breaches of the DPA are the loss of a device which contains personal data.
Protecting the most critical data.
It is within the company’s interest to protect personal data.
No company can risk the implication of reputation damage through publically admitting a loss or breach of data (as was seen during the Playstation Network data exposure), or the financial penalty of a six-digit fine.
The loss or breach of personal data can lose the company current customers, affect employee productivity to rebuild or restore the data and may stop new customers joining.
The company must uphold their responsibility to protect this data and implement measures that prevent any risks to data.
This starts with formulating an actionable data security policy which identifies the areas of the business that need protecting, the risk that these could pose and then the precautions that you can put in place.
Some of these areas may include:
- Computer Security – passwords, firewalls, anti-spyware, virus checkers and backups.
- Email Security – auto-complete email TO and CC fields, the right recipient, attachments, and security of email.
- Staff training – access permissions, the expectations of data security, passwords, spam awareness, file downloads.
Although not perfect, the traditional IT environment the management of these measures can be simple.
Fixed assets such as hardware, software and systems can be tracked, with a risk assessment achievable for those assets the company controls. It can then be easy to deploy some of these measures, with the implementation of technology becoming more common.
It is of course, a lot easier to control the flow and accessibility of data when the equipment belongs to the organisation.
Considerations of BYOD data protection.
But what happens when staff want to use their own devices and you want to reap the rewards… well, the rules are the same – it’s still your responsibility.
In the BYOD world, you still have to ensure that there is appropriate security in place to prevent the exposure of personal data you hold. The fact that you are not in direct control of the device makes it even more relevant to have adequate policies in place.
Therefore it needs governing, and you need to govern it. It is important that BYOD becomes part of the data security policy.
- Acceptable use – you need to make staff aware that they are accountable for their behaviour, therefore knowledgeable about the data they are handling
- The right data for the right device – make sure that employees know what type of personal data can be processes on their own devices.
Further than this, you need to consider how the data and the devices are being handled:
- Data location – Where is the data being stored, is it in the cloud or on the device? Are you able to control the security of this data and what level of transparency do you have?
- Access to devices – If the data is held locally, is there a risk of access to the data? Is the machine or device the data is stored on protected with a PIN or Password?
- Access to data – Is the data that employees hold encrypted? Could anyone with inappropriate access to the device – or even the memory card and hard drive – be able to read the data?
- Backup of data – How do employees ensure that the data they create is backed up? Are they backing up to a local device such as a hard disk drive? Is this process automated and is it secure?
- Transfer of data – How do employees move data around? Are they using secure USB devices and is the WiFi Network secure?
These are just some of the issues that you should consider. The rules around protecting data have not changed, but the way data is accessed and handled has. These small form devices and personal laptops should be treated as company assets.
Protect data in a BYOD environment.
There is technology that you can implement in a BYOD world to protect data.
As an example, I’ve chosen four solutions that you may wish to consider. This is different for each organisation as it depends on how you operate, what devices you use and the level of protection you need for your data.
Data defence enables IT administrators to enforce encryption and security policies on laptops, iPhones, iPads and USB flash devices from one web-based console.
When a device is lost, or multiple incorrect attempts are made to access the device, then the device can be locked down or the encryption keys destroyed. This prevents the unauthorised access of highly-confidential encrypted data and removes the threat of data breaches. Find out more about Data Defence.
Provide your users with a cloud-based desktop that they can access anywhere from any device.
Incredibly effective in a BYOD laptop environment, every user accesses the same operating system and configuration – regardless of the hardware or software they are using.
The result of this virtual desktop is data stored in secure data centres and away from the BYOD device. This ensures that if a laptop is lost or stolen, data is not on that device and kept secure. Find out more about Hosted Desktops.
Access, Backup and Collaboration
Store files in the cloud that can be securely shared with other users and guests.
Data is held in a secure data centre, with granular file level control with password protection and date-controlled expiration of access to files.
ABC is access from a web-based portal (with the option to have files stored on local devices), so data does not have to be stored on local devices. It provides the same benefits of the Hosted Desktop but enabling file access to a wider audience on more devices. Find out more about Access, Backup and Collaboration.
Data is backed up automatically from the BYOD device to two secure cloud data centres.
This ensures that if data is lost through accident file deletion or corruption, there are multiple file versions held in the cloud. This removes the need to recreate data.
Another benefit is the removal of user-initiated backups to USB drives, which are easy to steal and are often unencrypted. This is the main cause of data exposure. Find out more about Online Backup
The key to any technology is to make sure the data is secure, preferably stored in the cloud and not on the device – or make sure you have control over this data.
Where appropriate, BYOD should be embraced as a great way to work, promoting efficiency and employee morale… just don’t forget that protecting data isn’t impossible and should be given serious consideration.
Share this post