BYOD: Are you responsible for data on your personal device?03 May 2018
With a month to go until GDPR becomes enforceable (25 May), businesses are rushing to get their houses in order, even more so in light of the recent Facebook-Cambridge Analytica scandal. Under the current data protection regime, Facebook should expect to pay up to £500,000, the maximum fine under the Data Protection Act 1998 (DPA) - a mere drop in the ocean for a Fortune 500 corporation. However, had the data breach occurred after the 25 May, that fine could have been to the tune of £1bn.
With such potentially astronomical fines, it's no wonder that data protection news has been focused on the responsibilities of businesses under the GDPR. But what about the individual employee? What are your duties and potential liabilities for data stored on your electronic device? What happens if you lose your device, someone finds it, and exploits the data stored on/accessed through it?
Bring Your Own Device (BYOD)
Before delving into the use of personal devices for work purposes, the concept known as 'bring your own device', it is useful to remind ourselves that personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection regimes. Furthermore, employers are "data controllers" and employees are "data recipients". Data controllers have duties and liabilities under the regimes whereas recipients do not. However, recipients are indirectly responsible for respecting the principles as they are liable to their employer who must ensure that any employee with access to personal data is reliable.
It is possible, however, for employees to be regarded as data controllers if they act beyond the scope of their employment which would then hold them accountable under the data protection regimes. Furthermore, when an employee gets access to employer databases through, or stores work related data on, their personal electronic device, the employer maintains its role as data controller in relation to that data. This does not mean that it becomes controller of all the data stored/processed on that device, but for the data they are controller of, they must apply the same data protection principles which can present challenges. The UK Government has produced guidance for organisations in this respect, which includes creating an effective BYOD policy, limiting the information shared by devices, and planning for security incidents.
A further challenge in relation to BYOD for data controllers is balancing data protection responsibilities with the employee's right to privacy. A breach in this respect could also amount to a breach of the law, and so it is recommended that employers use software which effectively separates personal and company data on, or accessed through, the same device.
As an employee you remain liable to your employer in relation to the company data once you leave the office. Having 24-hour access on your own device is likely to increase the chances of breaching your company's data protection policy, or make it easier to effectively assume the role of data processor yourself. That said, your employer is first and foremost responsible and liable under the law to prevent this from happening. In the case where you lose your unsecured device and someone else retrieves the company data from it, your employer will be legally liable and you will be liable to your employer.
GDPR: Under the new regime
Following 25 May, the situation will remain much the same for employees and for the use of BYOD. You should expect, however, to be held to a much higher data protection standard. With much broader and more stringent requirements on controllers, as well as the sobering new penalties for breach, employers will ensure the highest standards of policy, security and training in relation to you and the use of BYOD are enforced.
Although BYOD may represent a further potentially huge liability with the incoming data protection regime, it has nevertheless become an integral tool within many business sectors. You should therefore treat it like any other element of your company's filling system - with the utmost diligence and security.
Data controller: means [..] a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Recipient: in relation to any personal data, means any person to whom the data are disclosed, including any person (such as an employee or agent of the relevant data controller, a relevant data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.