According to recent research by CompTIA only 4% of firms have actually rolled out a full Bring Your Own Device (BYOD) policy. In it’s Third Annual Trends in Enterprise Mobility research, CompTIA did, however, find that 44% of enterprises have a partial strategy in place. That means nearly half of companies are on the way to allowing employees to use their own personal devices in the workplace.
In talking to customers recently however another issue emerged that is proving a challenge to manage – who owns the data on a personal device that’s used (and approved) for corporate activity?
Take this scenario for example. On a night out an employee has his mobile phone stolen. As per the best practice policy of your BYOD/CYOD strategy, he immediately informs IT/facilities of the loss. IT/facilities invoke its MDM solution and wipe the phone to ensure no unauthorised access to the network is possible. The employee returns home only to find his phone on the kitchen table but without his personal apps, photos, videos, notes and other data. Understandably he’s upset. On the phone was a set of recent (and not backed up) videos of his pet that he had to have put down. He ascertains that he owns the personal data on the device and the company had no right to delete it.
Where does ownership of data on a personal device sit in a BYOD/CYOD scenario? For many companies its unchartered territory. And for some employees, the risk of having their data automatically deleted from their phone is too great pushing them back to having two devices – defeating the point of BYOD. So is there a middle ground?
The problem lies with the issue that under BYOD the employee owns and may even maintain the device. This means IT has less control than ever. There is guidance out there – The UK Information Commissioner’s Office (ICO) who is responsible for enforce the UK Data Protection Act has published guidance for companies considering BYOD policies, but this is more on compliance than ownership.
One solution is to establish a method for ring-fencing corporate data from personal data using something like Secure Workspace in BES10 or Secure Content Locker in Airwatch. This will allow IT to decide how, when and where data is stored and managed.
We feel the key to creating a successful BYOD policy however is to ensure buy-in is gathered from the outset. Bring in different departments – HR, legal, operations and IT – to discuss the parameters of company ownership of mobile data and in turn its responsibility to employees. Once a joint methodology is developed, a workable mobility policy can be defined. This policy is key in protecting both employees and the companies that they work for from potential legal wrangling in the future. Make sure the policy is clear on ownership and that employees understand their responsibilities to data protection. That way when the other 66% of companies identified by CompTIA start to roll out a BYOD policy, they’re more likely to have a workable and well-defined process for co-ownership in place.