New Technologies
BYOD and data protection – incompatible or manageable?
→ Günther Leissler
Employers increasingly want to introduce BYOD to their companies. They typically expect three key effects from allowing BYOD: (i) cost efficiency, (ii) cost efficiency, and (iii) cost efficiency. However, BYOD means that a company must allow private devices to get linked to its data and databases. In other words: BYOD raises serious data protection concerns.
Bring Your Own Device (BYOD) is a smart solution. It allows employers to assign the company’s device management to its employees and by doing so, to save manpower and costs on device support and maintenance. Yet there is a flip side of the coin: BYOD involves an employer allowing its employees to directly link their private devices to the company’s (secure) IT environment and to access (sometimes sensitive) company data through their private devices.
How should this situation be viewed from a data protection perspective? When processing its data (typically HR, customer and supplier information), a company acts as a data controller and must therefore adhere to the obligations imposed on data controllers by Austria’s data protection law. In a nutshell, the company must exercise control over its data processing activities and ensure that the data is processed upon valid legal grounds and in a safe environment. Also, the company must ensure that the data is not disclosed to any unauthorized third parties.
When thinking about BYOD, it becomes obvious that BYOD potentially conflicts with these obligations. By allowing BYOD, an employer is basically depriving itself of its control over its data. The data will be stored on private devices where it is inherent that these neither belong to the company nor are under its control. Also, such external and — from a company’s perspective — potentially unsafe devices might be able to bypass the company’s IT safety measures and to establish direct links to its databases. In terms of the data protection law, this means that the owner of the private device (typically, the employee) gains rather unlimited control over the company’s data. This puts her/him in a data controller’s position. Any BYOD-related access to this data or any transfer of it to the employee’s device must therefore be qualified as a controller-to-controller data transfer. Such data transfer must only be performed upon valid legal grounds. The key issue with BYOD, however, is that the employee’s private device could easily be used by third parties (eg, the employee’s relatives or friends) without the company’s knowledge, let alone its consent. From a company’s perspective, this means corporate data is transferred to a “black box” data recipient as the company can neither exclude that the employee’s private device will be used by parties apart from the employee nor can the company set any respective limits (as this would contravene the idea of a “private” device being used — in contrast to a company’s device that is used at home).
Austria’s data protection law, however, does not acknowledge data transfers to “unknown” data controllers. The solution for this problem might be found in setting up a controller-to-processor relationship between the company and its employees. However, as the key concept of a data processor working on behalf of a data controller lies in the usage of external data processing services, this concept does not correlate to an employer-to-employee relationship. In other words, Austrian data protection law imposes obligations on data processors that cannot be easily administered by an employee. Similarly, BYOD undermines the company’s security concept, since it typically allows devices to link to the company’s databases although these devices are not secured by the company’s IT safety measures. A valid data controller-to-data processor relationship, however, would require the employee (to the extent he/she is deemed a data processor) to ensure that his/her data security standards are equal to those of the company (or, at least, to those of other – external – data processors). As private devices typically use consumer-orientated safety features, which commonly provide for lower security features than those of companies, it becomes obvious that the employee will not be able to comply with this requirement either.
So how should these concerns best be tackled when considering that BYOD is most likely not a mere hype, but rather a (at least) medium term trend? In the light of the current data protection regulation, risk minimization might be the best solution. This means a company should be aware that BYOD does not really comply with the structure of Austrian data protection law. A company allowing BYOD is therefore well advised to ensure that it still retains control over its corporate data to the extent possible, despite allowing the data to be stored on private devices and despite allowing such private devices to directly link to the company’s databases.
This will require the company to not only put into force a comprehensive BYOD privacy policy that should thoroughly impose respective obligations on the employees. The company will also have to frequently train its employees on how to use their private devices in a proper and data protection-compliant manner. Apart from this, the company should retain its control over corporate data to the extent technically feasible (eg through the implementation of remote access features or similar measures).
However, these thoughts should be understood to be nothing more than an initial sketch of the problem. All in all, BYOD is one of the most challenging data protection topics companies are likely to face in the near future. For a company, it is therefore essential to understand the fundamental discrepancy between BYOD and data protection law in order to make sure that the firm’s BYOD approach and practice properly approximates Austrian data protection regulations.