Out-Law / Your Daily Need-To-Know

Fewer than a third of large EU companies have BYOD policies, says study

Out-Law News | 10 Oct 2013 | 8:19 am | 2 min. read

Fewer than a third of businesses in Europe with more than 1,000 employees have a formal 'bring your own device' (BYOD) policy, but almost all British businesses (97%) have suffered or anticipated a BYOD security breach, according to a new study.

Samsung surveyed chief information officers (CIOs) and IT decision makers at 490 European companies with more than 1,000 staff. More than a third (34%) said their business had lost customer data as a result of personal mobile devices being used by employees for work.

In the UK, 56% of the 100 large business CIOs and IT decision makers surveyed said their company promotes BYOD for work. Across Europe, 31% of large businesses have a formal BYOD policy whilst a further 21% have an informal policy, Samsung said. At the moment, 30% of staff take up the option of using their own device for business when able to do so by their employer, it said.

However, Samsung's survey also revealed that businesses that permit BYOD save 17%, or £6 million, on average on their yearly communications costs.

In Britain, 47% of companies have reported that staff are better engaged as a result of being able to use their own device for business, with employees at 46% of those organisations delivering "enhanced productivity" as a result, it said.

At the beginning of March this year, the UK's data protection watchdog published new guidance for employers on BYOD. The Information Commissioner's Office (ICO) stressed that organisations should remember that they are duty-bound to look after the personal data they are responsible for under data protection laws "regardless of the ownership of the device used to carry out the processing". Companies must ensure that devices used for work purposes are password-protected, and that data is encrypted when being transferred as well as being stored, it said.

The ICO also said that organisations should consider whether device functions that enable data transfer functions should be disabled, such as Wi-Fi or Bluetooth. Staff should be issued with guidance on how to use Wi-Fi networks securely and should be made "aware that some devices may automatically connect to open Wi-Fi networks as they are found by the device", it added.

The watchdog said that organisations "must be able to demonstrate" that they have "secured, controlled or deleted all personal data on a particular device" in the event of a security breach. However, it said that organisations that choose to track devices in order to be able to remotely access and delete data, particularly in the event of a loss or theft of devices, should make sure that "data collected as part of a remote locate facility is only used for the specified purpose and not for on-going surveillance or monitoring of users".

Employment law expert Edward Goodwyn of Pinsent Masons, the law firm behind Out-Law.com, previously said that firms should implement a formal policy that addresses information security issues relating to BYOD.

"Any IT policy whether in a staff handbook or not, should already deal with risks around the use of the devices such as misconduct, discrimination and confidentiality, but the specific issues around security and the conditions under which employees are permitted to bring their own device should be specifically drawn out in a BYOD policy," Goodwyn said.

"It would be helpful to have recorded agreement from the employee, such as a signed acceptance of the policy or at least an evidence trail showing that the policy has been highlighted to them, which indicates their agreement to the conditions under which they are allowed to bring their own device into the office," he added. "This will help the organisation to deal with any breach of the policy as a disciplinary issue and also give it a basis to request devises for checking where issues arise."

"The policy should also make it clear that the work data content will remain the organisation’s property and include requirements for the individual to allow the content to be deleted  - from the device as well as any copies which have been made - if the employee resigns or is dismissed. Equally, the policy should ensure that users of devices know their responsibilities in terms of only using corporate data for corporate purposes," Goodwyn said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.