New Technologies

BYOD and data protection – incompatible or manageable?

Employers increasingly want to introduce BYOD to their companies. They typically expect three key effects from allowing BYOD: (i) cost efficiency, (ii) cost efficiency, and (iii) cost efficiency. However, BYOD means that a company must allow private devices to get linked to its data and databases. In other words: BYOD raises serious data protection concerns.

Bring Your Own Device (BYOD) is a smart solu­tion. It allows employ­ers to assign the com­pa­ny’s device man­age­ment to its employ­ees and by doing so, to save man­pow­er and costs on device sup­port and main­te­nance. Yet there is a flip side of the coin: BYOD involves an employ­er allow­ing its employ­ees to direct­ly link their pri­vate devices to the com­pa­ny’s (secure) IT envi­ron­ment and to access (some­times sen­si­tive) com­pa­ny data through their pri­vate devices.

How should this sit­u­a­tion be viewed from a data pro­tec­tion per­spec­tive? When pro­cess­ing its data (typ­i­cal­ly HR, cus­tomer and sup­pli­er infor­ma­tion), a com­pa­ny acts as a data con­troller and must there­fore adhere to the oblig­a­tions imposed on data con­trollers by Aus­tri­a’s data pro­tec­tion law. In a nut­shell, the com­pa­ny must exer­cise con­trol over its data pro­cess­ing activ­i­ties and ensure that the data is processed upon valid legal grounds and in a safe envi­ron­ment. Also, the com­pa­ny must ensure that the data is not dis­closed to any unau­tho­rized third par­ties.

When think­ing about BYOD, it becomes obvi­ous that BYOD poten­tial­ly con­flicts with these oblig­a­tions. By allow­ing BYOD, an employ­er is basi­cal­ly depriv­ing itself of its con­trol over its data. The data will be stored on pri­vate devices where it is inher­ent that these nei­ther belong to the com­pa­ny nor are under its con­trol. Also, such exter­nal and — from a com­pa­ny’s per­spec­tive — poten­tial­ly unsafe devices might be able to bypass the com­pa­ny’s IT safe­ty mea­sures and to estab­lish direct links to its data­bas­es. In terms of the data pro­tec­tion law, this means that the own­er of the pri­vate device (typ­i­cal­ly, the employ­ee) gains rather unlim­it­ed con­trol over the com­pa­ny’s data. This puts her/him in a data con­troller’s posi­tion. Any BYOD-relat­ed access to this data or any trans­fer of it to the employ­ee’s device must there­fore be qual­i­fied as a con­troller-to-con­troller data trans­fer. Such data trans­fer must only be per­formed upon valid legal grounds. The key issue with BYOD, how­ev­er, is that the employ­ee’s pri­vate device could eas­i­ly be used by third par­ties (eg, the employ­ee’s rel­a­tives or friends) with­out the com­pa­ny’s knowl­edge, let alone its con­sent. From a com­pa­ny’s per­spec­tive, this means cor­po­rate data is trans­ferred to a “black box” data recip­i­ent as the com­pa­ny can nei­ther exclude that the employ­ee’s pri­vate device will be used by par­ties apart from the employ­ee nor can the com­pa­ny set any respec­tive lim­its (as this would con­tra­vene the idea of a “pri­vate” device being used — in con­trast to a com­pa­ny’s device that is used at home).

Aus­tri­a’s data pro­tec­tion law, how­ev­er, does not acknowl­edge data trans­fers to “unknown” data con­trollers. The solu­tion for this prob­lem might be found in set­ting up a con­troller-to-proces­sor rela­tion­ship between the com­pa­ny and its employ­ees. How­ev­er, as the key con­cept of a data proces­sor work­ing on behalf of a data con­troller lies in the usage of exter­nal data pro­cess­ing ser­vices, this con­cept does not cor­re­late to an employ­er-to-employ­ee rela­tion­ship. In oth­er words, Aus­tri­an data pro­tec­tion law impos­es oblig­a­tions on data proces­sors that can­not be eas­i­ly admin­is­tered by an employ­ee. Sim­i­lar­ly, BYOD under­mines the com­pa­ny’s secu­ri­ty con­cept, since it typ­i­cal­ly allows devices to link to the com­pa­ny’s data­bas­es although these devices are not secured by the com­pa­ny’s IT safe­ty mea­sures. A valid data con­troller-to-data proces­sor rela­tion­ship, how­ev­er, would require the employ­ee (to the extent he/she is deemed a data proces­sor) to ensure that his/her data secu­ri­ty stan­dards are equal to those of the com­pa­ny (or, at least, to those of oth­er – exter­nal – data proces­sors). As pri­vate devices typ­i­cal­ly use con­sumer-ori­en­tat­ed safe­ty fea­tures, which com­mon­ly pro­vide for low­er secu­ri­ty fea­tures than those of com­pa­nies, it becomes obvi­ous that the employ­ee will not be able to com­ply with this require­ment either.

So how should these con­cerns best be tack­led when con­sid­er­ing that BYOD is most like­ly not a mere hype, but rather a (at least) medi­um term trend? In the light of the cur­rent data pro­tec­tion reg­u­la­tion, risk min­i­miza­tion might be the best solu­tion. This means a com­pa­ny should be aware that BYOD does not real­ly com­ply with the struc­ture of Aus­tri­an data pro­tec­tion law. A com­pa­ny allow­ing BYOD is there­fore well advised to ensure that it still retains con­trol over its cor­po­rate data to the extent pos­si­ble, despite allow­ing the data to be stored on pri­vate devices and despite allow­ing such pri­vate devices to direct­ly link to the com­pa­ny’s data­bas­es.

This will require the com­pa­ny to not only put into force a com­pre­hen­sive BYOD pri­va­cy pol­i­cy that should thor­ough­ly impose respec­tive oblig­a­tions on the employ­ees. The com­pa­ny will also have to fre­quent­ly train its employ­ees on how to use their pri­vate devices in a prop­er and data pro­tec­tion-com­pli­ant man­ner. Apart from this, the com­pa­ny should retain its con­trol over cor­po­rate data to the extent tech­ni­cal­ly fea­si­ble (eg through the imple­men­ta­tion of remote access fea­tures or sim­i­lar mea­sures).

How­ev­er, these thoughts should be under­stood to be noth­ing more than an ini­tial sketch of the prob­lem. All in all, BYOD is one of the most chal­leng­ing data pro­tec­tion top­ics com­pa­nies are like­ly to face in the near future. For a com­pa­ny, it is there­fore essen­tial to under­stand the fun­da­men­tal dis­crep­an­cy between BYOD and data pro­tec­tion law in order to make sure that the fir­m’s BYOD approach and prac­tice prop­er­ly approx­i­mates Aus­tri­an data pro­tec­tion reg­u­la­tions.

By allowing BYOD, an employer is basically depriving itself of its control over its data. The data will be stored on private devices where it is inherent that these neither belong to the company nor are under its control.

roadmap 14
schoenherr attorneys at law /