Your Panel:

Paula Barrett, Partner, Eversheds LLP

Hazel Polka, Assistant General Counsel, EMEAI, Beckman

Kasey Chappelle, Global Privacy Counsel, Vodafone Group

James Leaton Gray, Head of Information Policy & Compliance, BBC

• Update on key privacy issues

• In-house perspective on implementation of BYOD

• Lessons learnt and other take-aways – to read at your leisure....

Programme

...you can’t stop the devices coming in!

What’s all the fuss...

• March 2013 ICO Guidance - Balance BYOD programme with privacy obligations and other legal risks

• Data Controller responsibilities still in play

• “Corporate” personal data and “private” personal data – where is the responsibility line drawn?

• Lack of control over data device = Data Security Concerns? Greater (?) potential to lose/leak personal data as well as confidential business information

• What happens if there is a data security breach?

• Operational and Technology Approaches

• Security issues – consider:

– use of ‘strong’ passwords to secure devices in addition to 4 digit pin

– file encryption

– automatic device locking

– remote wiping where device is lost/stolen – which data will be wiped and under what circumstances?

– secure backup

– virus protection

– PCI-DSS issues

Dealing with the risks

Avoid creating more problems than you solve...

• Monitoring of employee communications:

– separation/ring-fencing of work-related and private information?

– key to inform employees of monitoring

– consider requirements/restrictions under interception/communications laws

– particular care needed in some EU countries e.g. Germany

• Don’t forget compliance with other DP principles

Dealing with the risks

• Importance of BYOD policy/ToU:

– clear obligations on employees

– what happens if something goes wrong?

– controlled access – set rules and boundaries

– sanctions if breaches occur

• Acknowledgements & Consents? How valid?

• Effective communication and consistent enforcement of BYOD policy is key

• Educate employees – BYOD training

BYOD and the art of balance -a panel discussion

So you want to monitor?

Monitoring and Surveillance

Legislative considerations:

• Are you intercepting a communication? beware specific communications laws in several countries = e.g. UK, Germany, Switzerland and Belgium. Can be a criminal offence.

• Are you monitoring personal data = Data Protection Legislation

• Are you prejudicing right to privacy = Human Rights

• Data Protection Access Rights may bring monitoring to individuals knowledge

SOME TAKEAWAYS....

Lessons Learnt

• When implementing across Europe, one size does not fit all. Where possible, take local law into account in the design of your BYOD system to avoid having a mismatch between policy and reality later on.

• Don't try and design a policy to compensate for inherent weaknesses in the technology - it doesn't work.

• Ensure that you have the technical ability and resources to implement your policy. If you don't, you will face admin-heavy workarounds or even an inability to implement in some countries. (This might seem to be stating the obvious but it is one of the issues we have run into.)

Lessons Learnt

• In today’s high-tech work environment, your employees are finding workarounds already. If you try to ban BYOD entirely, you’re creating more security risks than you’re remedying.

• The BYOD question is not just corporate devices vs. personal devices –lots of people use work devices for personal uses and vice versa. Plan instead for solid ways to secure corporate assets on mobile devices no matter who “owns” the device.

• Technology is more important than policy. Your first priority should be finding a technical solution that segregates and protects corporate assets and making sure it works for everyone. With the right technical solutions, privacy implications can be lessened. For example, if a mobile device management tool can segregate corporate assets, personal assets can be left unaffected.

Lessons Learnt

• Not all machines (or users) are equal. Make sure your policy recognises where the risks lie.

• Any BYOD system is going to be a compromise between perfect information security and ease of use by the business. Make sure you work out your red lines before the discussion begins.

• People are more important than technology. Make sure the policy will be understood and used by your staff.

Suggested Actions

• Identify key stakeholders

• Conduct risk assessment

– security

– privacy

– litigation

– HR

– sector specific regulation

• Consider operational, technical and legal solutions

• Check your existing policy suite and be ready to amend/remove conflicts. Draft Terms of Use/Policy

• Training

• Audit

• Revisit: regularly

Topics to address in BYOD policy or ToU

• Describe acceptable and unacceptable uses

• Duty to keep device and the data secure

– Specify minimum password strength, no jailbreaking etc

– Immediate reporting of loss, theft or other security incident

• Obligation to produce the device on request e.g. for security check, litigation

• Instances when wiping may occur e.g. exit, security incident

• Application of other policies

Contacts

Paula Barrett, Eversheds LLP

email: paulabarrett@eversheds.com

+44 (0)207 919 4634

Hazel Polka, Beckman

email: hpolka@beckman.com

Kasey Chappelle, Vodafone Group

email: Kasey.Chappelle@vodafone.com

James Leaton Gray, BBC - james.leaton.gray@bbc.co.uk ; or connect via LinkedIn

17

© EVERSHEDS LLP 2013. Eversheds LLP is a limited liability partnership.