Firms must have proper BYOD strategy, ICO warns

Firms must have proper BYOD strategy, ICO warns

Organisations implementing a bring-your-own-device (BYOD) policy should make sure that they have a clear set of policy guidelines in order to protect against the risks that come with the use of personal smartphones and tablets within the workplace.

That is the verdict of the Information Commissioner's Office (ICO), which has warned that although many organisations are already allowing workers to use their own devices, many firms still do not have the proper regulations in place to ensure the confidentiality of data.

The ICO added that it has already seen a number of high-profile incidents involving well-known organisations losing data, including the The Royal Veterinary College, which received a warning for such failings last year, when an employee lost a camera containing the passport photos of six potential job applicants.

Simon Rice, group manager for the technology team at the ICO, said: "As the line between our personal and working lives becomes increasingly blurred it is critical employers have a clear policy about personal devices being used at work.

"The benefits must be balanced against the potential risks to work-related personal data but the organisation should not underestimate the level of effort which may be required to ensure that the processing of personal data with BYOD remains compliant with all eight principles of the Data Protection Act."

He added that it was important for companies to remember that it is employers that are held liable for any breaches under the Data Protection Act.

In order to help organisations avoid falling foul of the law, the ICO has issued a number of key recommendations for proper BYOD use.

It stresses the importance of ensuring that all devices involved in data transfers are secure and under the control of an organisation's overall IT infrastructure, so that they can be remotely wiped if they are lost or stolen. Meanwhile, it also stresses that it is important to ensure that all employees are aware of what constitutes acceptable use in order to eliminate the potential threat of malware.