10 Tips for Creating a Successful BYOD Policy


The “bring your own device” (BYOD) trend has become the norm at many companies and viewed as a way to both save money and increase productivity. By allowing employees to use their personal smartphones, tablets and laptops to access company information systems and applications, employers can avoid the cost of providing staff with separate work-related devices, while enabling employees to stay connected to work at any time, from any location.

BYOD policies are not without risks, however. While an employee’s use of personal devices is largely outside of the employer’s control, the information on such devices must still be properly retained, secured and available for potential legal and regulatory requests or review.

Employers must also address data privacy issues stemming from personal and business information located on one device. Finally, employers face potential liability if an employee harms someone while driving and using a device.

These 10 tips can help organizations create a successful BYOD policy that addresses the challenges and risks of employee-owned devices in the workplace.

  1. Involve all relevant stakeholders. BYOD policies impact many different business operations — legal, IT, human resources, information security, compliance, etc. — all of which should be part of the conversation when developing rules and procedures.
  2. Authorize specific BYOD users. Carefully consider the risks when deciding which employees can use their own devices at work. Risks vary depending on a number of factors, i.e., whether an employee's activities are regulated, data protection available in the employee's location, the type of information handled, the organization's need and ability to access data on a personal device and whether the employee is exempt or non-exempt .
  3. Specify what devices are permitted. Weigh the differences in capabilities, operating systems and compatibility of devices in choosing which products are included in a BYOD policy.
  4. Control the use of applications. Determine what types of applications employees can use for business purposes and any necessary restrictions on their use.
  5. Define a strict security policy for all devices. Given the sensitive information handled on these devices, require complex passwords and lock screens for all devices used in a BYOD program.
  6. Institute a clear service policy for employees using their own devices. Establish the degree to which the organization's IT resources will be responsible for handling support issues with BYOD devices.
  7. Establish ownership of the data. Be specific in conveying the organization's policy regarding who owns the data on devices used in a BYOD program. For example, a policy statement that all business-related data belongs to the organization, regardless of where the data is stored.
  8. Establish the right to access the device. Ensure the organization is able to access information on an employee’s personal device when needed for legal, regulatory and compliance reasons. Keep in mind the extent to which remote and physical access to the device will be required, and whether the organization will need to remotely erase information from a lost or stolen device.
  9. Include a distracted-driving policy. Implement a clear policy banning the use of devices while driving to avoid claims of negligence for harm caused by an employee in the course and scope of his or her employment.
  10. Create an employee exit strategy. Develop policies for handling information on BYOD devices when an employee leaves the organization — such as retaining the right to erase the data or supervising the employee's removal of the data.

To take advantage of the benefits of BYOD programs, organizations must carefully manage their risks and avoid the significant repercussions of a data breach. Retaining control over increasingly decentralized data requires that managers and employees understand the importance of protecting business information and the very real security risks that exist in today's world.

[View source.]


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomson Reuters Compliance Learning | Attorney Advertising

Written by:


Thomson Reuters Compliance Learning on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.