BYOD Policies and GDPR: How do you Comply?
Bring Your Own Device (BYOD) policies are a normal aspect of workplace environments. However, the General Data Protection Regulation (GDPR) from the EU causes concern with the potential security issues BYOD policies can bring. With fines of up to €20 million or 4% of an organization’s global annual turnover, (whichever is greater), any security risk has a much greater impact under GDPR. BYOD policies and GDPR must be taken seriously in order to avoid fines. Consider these practices when updating your BYOD policy to comply with GDPR.
Data Storage
When focusing on data security and protection, it’s imperative to lower the risk of data breaches or leaks. To accomplish this, save as little personal data as possible on BYOD devices. If any amount of personal data is stored on a BYOD device, Mobile Device Management (MDM) tools can be utilized as a means of data protection. Additionally, data can be stored on employee devices, and that data can be protected through the use of encryption and access tools. The access to an employee device storing personal data can be password controlled for increased security.
Limit Data Transfers
BYOD policies that reduce the number of data transfers lower the risk of a breach occurring. The policy should also restrict the use of public Wi-Fi, always-on Bluetooth, as well as unsecured data transfers through USB keys. In addition to this, if possible, do not use public data backup and transfer services. Those servers are not necessarily located in EU countries, and would therefore require special impact assessments.
Emphasize Security
Although BYOD devices are not company owned, they are still beholden to the security policies of their organization. To that end, the installation of third-party apps should be restricted, as they could introduce vulnerabilities that may cause data leaks. The act of forcing secure device settings brings employees better security and pushes them towards compliance. An MDM solution would also be helpful in the event that a device is lost, as it would allow for data to be remotely wiped from the device, thereby keeping the data secure.
Human Error
In order to reduce the risk that human error brings, employees should be educated regularly about privacy through training and workshops. This will lead to fewer incidences of personal data exposure as a result of negligence. Employee education brings an understanding of the importance of data protection and makes the consequences of such negligence clear.
Privacy of Employees
Organizations are legally required to protect employee data. It’s prudent to do so regardless because employee data can be considered sensitive. Organizations must make sure that company servers and apps do not accidentally access employee data. This is because employee data is usually not protected or encrypted, and they must give consent to the collection of their data before it is obtained. In addition to this, the family members of employees must be taken into account. If employee family members are being tracked via their devices unknowingly, it is a serious violation of privacy. If this is a possibility, organizations must notify their employees.
BYOD policies aren’t going anywhere in this corporate environment. However, that doesn’t mean that they won’t be updated. GDPR has a wide reach, and for many companies, it’s “comply or die.” With a few changes, though, BYOD policies and GDPR will be able to coexist, without any fines being incurred.