Your staff no longer want a company phone – they are fed up with carrying both their company and personal phones on them and want to use one device – and one that they can choose themselves – for all their communication. They want to keep the same phone number if they leave your business and they want might want to use a tablet they own too. Does this sound familiar? Its a growing trend and one that forward thinking organisations cannot avoid. People expect to be able to use their own devices and businesses need to be prepared for it.
Under the data protection act any organisation processing personal data must have a nominated ‘data controller’ who is registered with the Information Commissioners Office (ICO). The Data Protection Act states that the data controller must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. This becomes more of a challenge when personal data being processed by a company can sit on a personal device.
So what should you be aware of?
Identify risks – You need to identify what type of data could be held on personal devices – this will help identify the risk. Personal data as previously mentioned is subject to the data protection act – but you may also have other confidential data. Once you know this would will need to establish what types of devices are likely to hold it.
Write a policy – Regardless of any systems you may implement to control devices holding the data, you should have a clear policy which makes staff aware of the data their devices will hold, their responsibilities, an acceptable use policy and any compliance systems you may have in place to monitor use.
Mobile device management – increasingly businesses are turning to technology to allow staff to use personal mobile devices without creating additional risk to the business. Or risking non-compliance with the data protection act. A well implemented mobile device management system should:
- Prevent business data from being mixed with personal data – and the business losing control of it
- Be able to prevent any further access to the data if the device is lost or the employee leaves the business
- Be able to control which devices can access company data and audit their use
- Ensure that company data can only be accessed by a person specifically authorised to do so
Where your business processes personal data, and there is a chance this may be held on personal mobile devices, having a separate ‘app’ for your business data, passworded, encrypted and completely separated from the employees’ own data is best practice.