Out-Law News | 05 Jan 2016 | 5:24 pm | 1 min. read
European Data Protection Supervisor (EDPS) Giovanni Buttarelli made the recommendation in new guidelines (26-page / 1.39MB PDF) issued to EU institutions, but technology law expert Luke Scanlon of Pinsent Masons said the advice, together with other aspects of the guidance, would help other organisations comply with EU data protection laws.
The guidance in part reflects the 'bring your own device' (BYOD) trend where staff use their own smartphones or other mobile devices for work purposes; an activity which if not addressed can raise a number of IT security and data protection issues for many businesses, Scanlon said.
Buttarelli said the case-by-case assessment should make up a part of an EU body's mobile devices policy. The assessment should involving looking into "the benefits of allowing the use of mobile devices for specific processing operations taking account of the risks and invasiveness that such use may imply", he said.
"This assessment should take into account the added functionalities and features of the mobile device, such as enriching a contact list by adding photographs for the contacts with the camera of the mobile device," the guidance said. "It also should include the impact of the introduction of mobile devices on the security of the current IT infrastructure. The introduction of insecure mobile devices might cause security challenges for an IT infrastructure that was designed relying on the assumption that all end-devices are secure and that the attackers are located outside the network."
The guidance urged EU bodies to "assess the risks to institutional and private personal data before introducing BYOD in the organisation" and have a policy to govern the use of personal devices for work purposes.
An "acceptable-use policy regarding mobile devices" should also be established to, among other things, set "clearly defined uses of the mobile devices approved" and "what institutional information and personal data is allowed to be stored and transferred to mobile devices", it said.
"The acceptable-use policy should be formally accepted by users before they can use mobile devices," the guidance said. "In case the acceptable use policy changes, the new one should be promptly communicated to the users which will need to accept it again."
"As for the BYOD scenario the policy governing BYOD should be easily available to all possible users of BYOD before they decide to use or not their own mobile devices for professional matters. This policy should include 'opt-in' compliance with the policy, besides the acceptable use policy for all mobile devices, as a condition for BYOD permission; and 'opt-in' user permission for systems management and monitoring of BYOD devices," it said.
The EDPS also issued new guidance on personal data and electronic communications in the EU institutions (31-page / 2MB PDF).