The new GDPR legislation came into effect in May 2018, and all businesses should now be following stricter rules to protect personal data held in office systems. But what about employees who use their own devices for work?
This could be a real issue for SMEs, who may not have considered how to combat this new problem following the recent changes to data protection law.
Employees using their own personal devices to access and store personal and possibly sensitive data about clients, prospects, suppliers and colleagues creates a grey area, which can be legally risky for employers.
One way to control this is to have clear guidelines on who is allowed to use their own device, perhaps limiting use to certain job roles. Another popular way is to create a 'Bring your own device' (BYOD) policy.
What is a BYOD policy?
A BYOD policy gives guidance around the protection of data when employees use their own device to access work information. Employers should set up a system for authorising the use of personal devices, and keep a record of who is doing so.
The policy should ensure that employees follow certain procedures, such as:
- Using a strong password to lock their device and making sure it is capable of locking automatically.
- Enabling a setting on the device whereby data is automatically deleted if an incorrect password is entered after several attempts, or if the device is inactive for a period of time.
- Transferring data in a secure way to prevent third party access. One way to ensure sensitive data is kept safe when shared is to use encryption software, or to transfer it via an encrypted channel.
- If using removable media such as a USB stick to transfer personal data, ensuring that the data is deleted once the transfer is complete.
- Assessing the security of any open network or Wi-Fi connection that they use.
- Avoiding downloading any unverified or untrusted apps that may pose a threat to the security of the information held on their devices.
- Ensuring that they do not retain personal data for longer than necessary, unless there is a requirement to retain it for longer to comply with a legal obligation.
- Ensuring that when they delete information, it is deleted permanently rather than left in the device's waste management system.
- Once the employee leaves the organisation, deleting all work-related personal data on their own device prior to their last day.
How else can I protect data on personal devices?
Another way to enforce compliance with data protection rules is mobile device management. This allows the device to be configured and controlled remotely, meaning that data can be wiped if it is stolen, upgraded, recycled for money or given to family or friends.
Overall, SMEs owners/leaders should ensure all staff understand what amounts to personal and sensitive data, and the obligations when holding such data.
Taking steps to protect data on personal devices will, ultimately, reduce the chance of receiving a large fine for breaking the new data protection rules.
Written by Kirsten Cluer, HR consultant and owner of Cluer HR