Earlier this month, the United Kingdom’s Information Commissioner’s Office released guidance for BYOD. The 13-page document, which is available for free as a PDF (see link at the bottom of the post), defines BYOD (bring your own device), its risks and benefits, and how to go about protecting any sensitive data that may be stored on mobile devices. (If I may note, many of the recommended practices and solutions to security risks can be fulfilled via the use of AlertBoot’s managed MDM service, a completely web-based solution.)
BYOD: Complying with the Data Protection Act of 1998
Despite criticism to the contrary, the ICO is not a dinosaur that has outlived its usefulness. You can find proof in its recognition that BYOD – an acronym for instances where an individual supplies his or her device for work-related purposes – can be of extreme benefit to companies. Indeed, it has come out with a guideline to ease the process of setting up a data security policy, rooted in the DPA, the Data Protection Act.
The ICO notes that the seventh principle of the UK Data Protection Act states:
appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data.
The ICO’s guide goes on to further note that “if personal data is being processed on devices which you [a company, agency, or other organization] may not have direct control over,” you must still prevent any personal data from being breached.
Impossible! you may claim. How am I supposed to control what’s happening on other people’s devices? But, the DPA is about data, particularly personal data collected by an organization – regardless of whether it may be sensitive in nature – and thus all guidelines and recommendations are data-centric. Indeed, it’s spelled out in black-and-white in the guideline:
It is important to remember that the data controller must remain in control of the personal data for which he is responsible, regardless of the ownership of the device used to carry out the processing.
In other words, if it turns out that it was your organization’s data that got compromised, the organization’s at fault. Sure, so is the employee, but the ICO doesn’t deal with individuals, unless they’ve set up a one-man consultancy, e.g.
Long Story Short: Encrypt, Educate, and Monitor
Yep, it’s that easy: encrypt your data, educate your employees (on what is allowed regarding the copying and transferring of data), and monitor the situation so that employees are doing what they’re supposed to be doing. While that’s not all you need to do, it probably covers a good 80% of it. But, easier said than done, right?
While there are different ways of going about it, the use of an MDM (mobile device management) solution like AlertBoot makes it easy. The fully web-based AlertBoot Mobile Security allows an administrator – without going through the process of setting up any extra services such as physical servers or signing up for cloud storage – to push encryption or passwords on users’ smartphones and tablets. And, the integrated and customizable reporting engine allows one to easily see whose device is in compliance and, more importantly, whose isn’t.
You’ll still have to write up your own company security policies, though.
Related Articles and Sites: