Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

Fewer than a third of large EU companies have BYOD policies, says study

Fewer than a third of businesses in Europe with more than 1,000 employees have a formal 'bring your own device' (BYOD) policy, but almost all British businesses (97%) have suffered or anticipated a BYOD security breach, according to a new study.10 Oct 2013

Samsung surveyed chief information officers (CIOs) and IT decision makers at 490 European companies with more than 1,000 staff. More than a third (34%) said their business had lost customer data as a result of personal mobile devices being used by employees for work.

In the UK, 56% of the 100 large business CIOs and IT decision makers surveyed said their company promotes BYOD for work. Across Europe, 31% of large businesses have a formal BYOD policy whilst a further 21% have an informal policy, Samsung said. At the moment, 30% of staff take up the option of using their own device for business when able to do so by their employer, it said.

However, Samsung's survey also revealed that businesses that permit BYOD save 17%, or £6 million, on average on their yearly communications costs.

In Britain, 47% of companies have reported that staff are better engaged as a result of being able to use their own device for business, with employees at 46% of those organisations delivering "enhanced productivity" as a result, it said.

At the beginning of March this year, the UK's data protection watchdog published new guidance for employers on BYOD. The Information Commissioner's Office (ICO) stressed that organisations should remember that they are duty-bound to look after the personal data they are responsible for under data protection laws "regardless of the ownership of the device used to carry out the processing". Companies must ensure that devices used for work purposes are password-protected, and that data is encrypted when being transferred as well as being stored, it said.

The ICO also said that organisations should consider whether device functions that enable data transfer functions should be disabled, such as Wi-Fi or Bluetooth. Staff should be issued with guidance on how to use Wi-Fi networks securely and should be made "aware that some devices may automatically connect to open Wi-Fi networks as they are found by the device", it added.

The watchdog said that organisations "must be able to demonstrate" that they have "secured, controlled or deleted all personal data on a particular device" in the event of a security breach. However, it said that organisations that choose to track devices in order to be able to remotely access and delete data, particularly in the event of a loss or theft of devices, should make sure that "data collected as part of a remote locate facility is only used for the specified purpose and not for on-going surveillance or monitoring of users".

Employment law expert Edward Goodwyn of Pinsent Masons, the law firm behind Out-Law.com, previously said that firms should implement a formal policy that addresses information security issues relating to BYOD.

"Any IT policy whether in a staff handbook or not, should already deal with risks around the use of the devices such as misconduct, discrimination and confidentiality, but the specific issues around security and the conditions under which employees are permitted to bring their own device should be specifically drawn out in a BYOD policy," Goodwyn said.

"It would be helpful to have recorded agreement from the employee, such as a signed acceptance of the policy or at least an evidence trail showing that the policy has been highlighted to them, which indicates their agreement to the conditions under which they are allowed to bring their own device into the office," he added. "This will help the organisation to deal with any breach of the policy as a disciplinary issue and also give it a basis to request devises for checking where issues arise."

"The policy should also make it clear that the work data content will remain the organisation’s property and include requirements for the individual to allow the content to be deleted  - from the device as well as any copies which have been made - if the employee resigns or is dismissed. Equally, the policy should ensure that users of devices know their responsibilities in terms of only using corporate data for corporate purposes," Goodwyn said.