U.K. data watchdog warns on BYOD risks

Bringing your own device to work may be beneficial to the worker, but what about when personal citizen data gets loaded on to such devices? British authorities are firing off the warning flares.
Written by Zack Whittaker, Contributor

British data officials have warned that many U.K. employers "appear to have a laissez faire attitude" towards staff using their own devices in the workplace.


By failing to give employees the low-down and guidance on how to work with data when using their own devices, this could be putting citizen's personal information at risk to theft or data breaches, the Information Commissioner's Office (ICO) warns.

The ICO commissioned a survey by polling group YouGov, which said that 47 percent of all U.K. workers are already using their own smartphone or tablet in the enterprise. However, less than one-third have been given corporate guidance on how these devices.

This concerns the ICO, the organization in charge of data protection and privacy in the U.K., as more than two-thirds of workers may not know to look after sensitive data when accessed or stored on their bring-your-own-device (BYOD) tablets and smartphones. 

The ICO this week published its latest guidance note [PDF] on some of the risks that employers face when allowing personal devices into the enterprise. While BYOD is on the rise in the U.K., employers must still remember that the Data Protection Act—which stems from a 1995 European directive—still applies to these devices.

"Our guidance aims to help organisations develop their own policies by highlighting the issues they must consider," said ICO technology group manager Simon Rice.

"For example, does the organisation know where personal data is being stored at any one time? Do they have measures in place to keep the information accurate and up-to-date? Is there a failsafe system so that the device can be wiped remotely if lost or stolen?"

The data protection and privacy watchdog is keen to stress that even if enterprise employers do not have direct control over their staff devices, through mobile device management (MDM) services or similar technologies, they still have a responsibility as "data controllers" to ensure that any data that employees use, even on their own devices, must remain safe and protected.

"It is important to remember that the data controller must remain in control of the personal data for which he is responsible, regardless of the ownership of the device used to carry out the processing," the ICO reiterates. 

"It means you must have appropriate security in place to prevent the personal data you hold from being accidently or deliberately compromised," the advice notes. "This is relevant if personal data is being processed on devices which you may not have direct control over."

Editorial standards