Bring your own device (BYOD)

01 February 2015

Updated February 2015

Gives introductory guidance on the legal implications of bring your own device (BYOD), where employees use their own mobile devices for work, for employers. Covers the four issues a BYOD policy should address: data protection and data security, personal use, the procedure when an employee leaves the company, and ownership. Also explains why employers adopt BYOD.

One of the latest challenges for many employers is managing the risks associated with the recent trend for employees bringing their own devices to work. 

Bring your own device (BYOD) means allowing employees to use their own mobile devices for work purposes. This includes devices such as smartphones, laptops and tablets. A BYOD culture essentially allows employees access to company data on their own device at a time and location that is convenient to them.

This factsheet examines some of the challenges posed by employees and the use of BYOD. It also provides some practical tips on how to minimise the risks associated.

The primary concerns relate to:

  • Data protection and data security.
  • Ensuring that mechanisms are in place to deal with lost or stolen devices.
  • What to do when an employee leaves their job. 

Accordingly, any business planning to introduce this concept should also roll out a policy which addresses these risks.

An employer should devise its strategy and BYOD policy to allow employees access to its systems in conjunction with its IT Department. Issues peculiar to the system may dictate certain functionality or compatibility requirements for the proper performance of external devices on the system, for example, Apple devices only. 

Additionally, making employees send the device to the IT Department before connecting to the system and making connectivity subject to the employee agreeing to keep the software up to date with the most recent software upgrades may be essential for the ongoing maintenance of the system. 

A BYOD policy should address the following issues:

The primary concern from a data perspective is the obligation on data controllers to keep personal data secure and to take 'appropriate security measures' to prevent 'unauthorised access…or disclosure' of the personal data.

Assuming that employees can access personal data such as emails on the device, there is a clear risk of unauthorised disclosure of, or access to, personal data if that device is lost or stolen. Additionally, an employer will have concerns relating to the confidentiality and security of its sensitive information.

Therefore, a prudent employer should ensure the following:

  • All devices are password protected and encrypted.
  • No data can be stored on the device. Data should be accessed via cloud computing, that is, the data is stored on servers at remote locations and accessed through a web browser. Data mapping may also be used to keep track of where information is stored.
  • All devices can be wiped remotely when lost, stolen or an employee refuses to send it to the IT Department to be wiped before leaving employment. A prudent employer will obtain the employees' consent to carry out remote wiping upfront as part of the BYOD policy.
  • Employees are obliged to keep the software on the device up to date or have the IT Department set up a command on the device so that when the device is switched on it automatically searches for all necessary updates and updates itself.

See our factsheet on data protection for more information.

An employer should consider whether it is appropriate and desirable for it to separate business use from personal use in the policy. This would essentially make it easier for the employer to manage and monitor the devices. 

However, it will be a difficult task to distinguish personal use from business use as employees are using their own device at both work and presumably at home. It may be appropriate for an employer to keep the distinction vague and distinguish it as 'time spent working' and link obligations arising during such time spent to its Internet and social media policies.

For more information, see our factsheets on Internet use and misuse and social media.

A BYOD policy should make it clear that sending the device for approval by the IT Department is a prerequisite to being afforded access to its systems. It should also outline the process to be followed when an employee is leaving employment and state that remote wiping will occur if an employee doesn't follow this procedure.

A BYOD policy should clearly address who owns the device. That is, is it the personal property of the employee or the property of the employer if, for example, the employer provided an allowance for purchasing it?

Depending on the owner, the policy should also provide for what happens if a device is lost or broken and who is responsible for replacing or repairing it. If, for example, an employer decided to provide a technology allowance, it would remain the property of the employer.

Accordingly, the employer could then decide in its absolute discretion to allow an employee to keep the device if all company data was removed and the device was sent to the IT Department for wiping before the employee leaves their job. 

These are all issues an employer needs to consider when drawing up the policy.

Employers in certain sectors will undoubtedly be faced with making a decision on whether or not to allow employees bring their own devices into the workplace to ensure they remain in line with emerging practices. Employers who have never before thought it relevant may be encouraged to do so by the cost saving efficiencies and flexible working opportunities that are associated with such a policy. 

The key to implementing such a policy is planning and considering in advance the particular risk factors that might arise for a specific business. It is also essential that the IT Department plays an integral role in the drafting of a robust policy aligned to the particular requirements of the business. The policy must balance the employer's and employees' needs and also consider how to minimise the data protection risks. 

When these issues are considered and addressed, a BYOD culture should only increase productivity, decrease costs associated with maintaining IT hardware in the office and enhance employees' work/life balance.

This factsheet was written by A&L Goodbody, Solicitors, IFSC, North Wall Quay, Dublin 1.

© A&L Goodbody Solicitors. The material is not intended to provide, and does not constitute, legal or any other advice on any particular matter, and is provided for general information purposes only.