BYOD and the DPA

Bring Your Own Device (BYOD) brings enormous potential benefits for organisations that adopt it, as well as for their employees. It also brings significant commercial and regulatory risks. In this post, I want to applaud the UK’s Information Commissioner for issuing clear and helpful advice on the steps that should be considered by organisations contemplating BYOD.

The cornerstone of the ICO’s advice is this: “It is important to remember that the data controller must remain in control of the personal data for which he is responsible, regardless of the ownership of the device used to carry out the processing.” This guidance is as true for organisations dealing with data that is subject to PCI DSS, GLBA, HIPAA, PIPEDA or virtually any other law anywhere in the world that sets out to protect personal information.

Organisations that have embraced or otherwise implemented BYOD should now move quickly to ensure that their BYOD policies and practices are aligned with the ICO’s advice – IT Governance Ltd have just issued a BYOD Policy Template toolkit (supported, as part of the price, with an Acceptable Use Agreement) that is designed for easy customisation to suit the requirements of your own organisation. This toolkit, uniquely, was constructed so that it would not only reflect the ICO’s most recent guidance, but so that it could easily be integrated into any ISO27001 or ISO22301 management system (particularly if it already uses one of the ITPG documentation toolkits).

I know, from conversations with many CIOs, that BYOD simulaneously entices and worries them – they can see the corporate financial benefits but worry about the security implications. In an environment where only BlackBerry is traditionally seen as a secure corporate communications device, the idea of migrating to potentially unsafe Android devices is a real worry. The thing is, any organisation can limit its BYOD options to those it considers safe – there is no reason to allow just any technology if corporate assets and personal data might be at risk.

BYOD is not going to go away. We are now clearly past the Early Adopter phase for this approach, which means that more and more organisations are going to have to think hard about how they approach the matter.

Combined with the growing use of Cloud services, BYOD could be the beginning of the end for traditional IT infrastructure – and for the IT department as we know it.