Are UK firms violating GDPR by not implementing BYOD policies
Only 54% of organisations in the UK have adopted formal BYOD policies even though 72% of organisations have embraced BYOD and SaaS application adoption.
Organisations in the UK could end up violating GDPR provisions if they do not adopt formal BYOD policies by the time the new law arrives.
Even though BYOD (Bring Your Own Device) has been a subject of much debate the world over because of the inherent security risks involved with employees using their personal devices at work, a number of nations have crafted new frameworks to ensure that organisations do not put sensitive corporate or personal data at risk even if they actively adopt and promote BYOD.
Even though the concept is relatively new and is less than a decade old, BOYD is now being adopted by hundreds of small and large organisations the world over. In fact, the Middle East boasted a BYOD adoption rate of over 80% ar far back as 2012.
Even though the UK has been late in catching up, 7 out of 10 have embraced BYOD adoption over the years and the number is set to rise significantly in the near future. However, despite embracing the concept, a number of such organisations have been slow in creating formal BYOD policies to ensure the sanctity of corporate and customer data.
What is a BYOD policy?
The National Cyber Security Centre has provided a framework that aims to help organisations develop watertight BYOD policies so that sensitive data is not placed at risk even if all employees are allowed to use their personal devices at work.
The centre suggests that organisations’ BYOD policies must be aimed at preventing any unauthorised devices from accessing sensitive business or personal information, and ensuring that authorised devices are only able to access the data and services organisations are willing to share with BYOD employees.
Organisations must also ensure that employees are aware of the risks of sharing business data with unauthorised users. At the same time, they should also ensure that sensitive corporate data is not automatically backed up on employees’ personal cloud-based accounts or their PCs.
BYOD policies also involve educating employees about the risks around usage of unsecured Wi-Fi hotspots, usage of social media apps, ensuring password hygiene, and the importance of separating personal and corporate data on their devices.
Are UK organisations following formal BYOD policies?
SailPoint’s latest Annual Market Survey has revealed that the adoption of formal BYOD policies trails the adoption of BYOD in the UK, thereby placing sensitive corporate and customer data help by a number of organisations at risk. According to the survey, 7 out of 10 (72 per cent) organisations have embraced BYOD and SaaS application adoption, while only 53 per cent have formal policies in place to protect corporate data.
“Our Market Pulse Survey uncovered an interesting ‘identity trilemma’ – multiple departments within an organisation are adopting their own SaaS solutions to appease business users through shadow IT, all while not properly adhering to company security policies,” said Juliette Rizkallah, CMO at SailPoint.
“This is a dangerous combination that creates serious exposure points for companies today. Identity governance is still the key in protecting these points of exposure and mitigating the risks inherent in today’s hybrid IT environment.
“For enterprises to have full visibility into who has access to what, understanding the ‘who’ in that equation is more important than ever. This is why putting identity at the center of security strategies is the best approach for defending and protecting today’s modern enterprise,” she added.
Even though a little over half of all organisations in the UK have formal BYOD policies in place, 3 in 10 of those who participated in SailPoint’s survey revealed that employees are not following such policies. This also points to the fact that organisations may not be pushing for compliance to their policies as much as they should.
As many as 3 in 4 of the participants also expressed their concern about BYOD and shadow IT as organisational exposure points. While security risks associated with BYOD may risk sensitive corporate data to unwanted exposure, it may also result in such organisations breaching the GDPR, whose UK version will come into effect next summer.
Failure to protect leakage of sensitive data because of a poorly-crafted or a porly-implemented BYOD policy may invite the wrath of the Information Commissioner’s Office who, under the upcoming Data Protection Law, will have the power to issue fines of up to £17 million or 20% of annual turnover.
Earlier this year, a study conducted M-Files revealed that as many as 33% of employees were using personal devices and 31% were using personal cloud services without obtaining express consent from their companies’ IT departments.
The study also revealed that at least 23% of businesses in the UK had suffered data breaches in the past year because of non-compliance of company security policies by their employees.
“Going against company policies on sharing and accessing documents may seem relatively harmless, but it can have costly consequences, leaving organisations exposed to heightened security risks and compliance issues. With GDPR on our doorsteps it’s critical that organisations maintain control and visibility of their documents and information handling practices,” said Julian Cook, VP of UK business at M-Files.