BYOD: The trouble with using personal devices for business purposes
- Many companies allow employees to use personal electronic devices for work purposes. This is called BYOD or “bring your own device”.
- BYOD is often a cheaper option for businesses and is easier to manage, but do the data protection risks outweigh these benefits? Particularly when companies may not even know if or when data privacy violations occur?
Episode Title: “BYOD: The trouble with using personal devices for business purposes.”
Many companies allow employees to use their own devices for work purposes.
While BYOD (bring-your-own-device) policies are often a cheaper and easier to manage option, do the risks in terms of GDPR compliance outweigh the benefits, particularly when companies may not know if or when data privacy violations occur?
Speaking: Dayle Rodriguez from Amakari Services interviews Trevor Fenton from Plain English Law.
Recording Date: 25 May 2021
Recording Length: 00:15:34
Hi there, this is Trevor Fenton from Plain English Law. We’ve made this series of GDPR podcasts by recording conversations between me and Dayle Rodriguez of Amakari Services. In this episode, we talk about allowing employees to use their personal devices for business. The GDPR can make it risky to put personal and business data on the same device, and a good ‘bring-your-own-device' policy isn’t always a complete answer. Dayle and I start by discussing the difference between data and personal data.
DR: It’s been a while since I’ve done my data protection training. Refresh my memory: is it nine protected characteristics that make it personal data?
TF: No, you might be conflating personal data with discrimination, which is measured on the basis of protected characteristics like race, gender, sex, gender-identity, sexual orientation, etc.
You’ve got data and then you’ve got personal data, which is a subset of data. ‘Data’ just means ‘information’. It doesn’t have to be in a spreadsheet or a database. I keep a notebook for calls I have with clients – all the stuff I write down, that’s all data.
So, the question is, is it also personal data? That comes down to whether that data is related to or is about an identifiable individual.
At its simplest, you take any piece of information and put someone’s name beside it, and essentially that makes it personal data, as long as that information is about them. If the information is about something pedestrian like “the grass is green” and I write “Dayle” beside it, that doesn’t make that piece of information about Dayle. But if I say “the grass in Dayle’s back garden is green and healthy” then, as silly as this sounds, I think that IS personal information about Dayle. And that’s because it relates to Dayle – it’s his property, I’ve said it’s his grass, and it’s information about that grass therefore it’s information related to him.
Would that get him a whole lot of protection in the GDPR? No, not really. But why do I have that information? What am I doing with it? Why do I even have that in my records?
DR: You know, I would wonder why you, Trevor Fenton of Plain English Law, would have information about my grass. Also, that you are so informal about it. Certainly, if you’re going to talk about my grass, you can call me “Mr Rodriguez”.
TF: (laughing) Ok, that’s a very silly example. But there are all sorts of examples that people don’t think of being personal data because they think, well, that’s not ‘personal’, or ‘sensitive’, or ‘private’. It doesn’t have to be private. It doesn’t have to be something you think people would feel a sense of invasion about. It could be as simple as your phone number at work, whether it’s your own or the main number for the company, and I’ve got it in my address book as “Dayle’s phone number at work”, that’s personal data about you.
The definition is breathtakingly wide under the GDPR. It’s a lot wider than definitions in other parts of the world. Canada, for example, where business contact details don’t count as personal data under their equivalent to GDPR known as PIPEDA, or the Personal Protection and Electronic Documents Act.
DR: That makes sense to me though. If you have my number in your address book and it’s my work number, then it’s not personal because it’s my business number.
TF: That’s definitely a debate that could be had, whether it should or shouldn’t be classified as personal data. But the GDPR does classify it as personal data.
Likewise, that means that emails sent back and forth to customers and co-workers, those emails all become personal data about the person who sent it because their name or email address is on it and you can use that to identify who that person is, and it becomes personal data about the person they sent it to for the same reason, and because it’s information sent to that person which makes it about that person.
DR: Ok, so on my phone, I have a VOIP system that is separate from my normal phone contacts. But in theory, that device is my personal phone so I’m potentially carrying around personal, sensitive information about other businesses on my phone – is that right?
TF: Yes and no.
First off, there is no such thing as personal data about an organisation. Personal data is only about individuals, about living breathing human beings. We can get into the debate that sometimes people act as sole proprietors and therefore the individual is the business, but let’s not go there right now. The point is, most businesses operate as companies and there is no such thing as personal data about a company. What does exist is personal data about the people who work for companies, and that personal data could be the phone number for them at the company. That phone number in and of itself is not personal data. You put that phone number beside that person in a contact book, and now it’s personal data about them.
So, if that personal data is on a phone, it doesn’t matter who’s phone that is, it’s still personal data about that person. Now Dayle, on your phone you might have two different address books: one that you use for strictly personal purposes and one you use for business purposes. GDPR will not apply to the personal-only contact book, because it is for strictly household purposes. GDPR does not apply to the use of personal data for strictly personal and household purposes.
I’ve got my list of friends on my phone and I send them an email to go for a pint on the weekend – that is not covered by GDPR. That is a strictly private and household purpose for the use of that data. If, however, I send the exact same email to someone using the details I have stored in my contacts for business purposes, details that the business holds, that’s different.
You’re holding both on the same phone and that can make it complicated. But if you can keep them completely separate within the phone and you’re not cross-pollinating – you’re not taking contact business details and sticking them in your personal address book – then that makes it easier to manage. But the fact that it’s on the phone that you own rather than a phone the company owns, that doesn’t change the GDPR situation. Or rather, it doesn’t change the status of the data, I should say. What it does is make it riskier. It is risky to hold business data on a personal phone because of the amount of discipline required to treat those data sets differently.
And also, on your personal phone, you’re going to put on apps for personal use that you don’t intend to use for business purposes. What if you accidentally give that app to your business contacts book? Because almost every app I know usually asks to have access to all your contacts. Clubhouse being a great example. It’s an example I’ve used before, and I shouldn’t just pick on them because they’re not the only ones who do this, they’re just a more recent example. But yeah, a lot of these apps say: “We need access to your contacts to function.” Putting aside whether they actually need that or not, the question is are you going to give this external business access to all of your business contact details, which is personal data about your business contacts?
DR: That’s interesting. For lots of people like me, especially when they started up, used their personal phone and my mobile phone number to keep expenses down. If I’d given that number to someone for business, and then they went on Clubhouse or whatever app, in theory they’ve given my personal data to a third party without my consent, right?
TF: It’s not in theory, it’s very much in reality. You’ve got your contact book with business contacts in it. That is personal data about all those contacts and your business is the controller of that data. And to be a controller means it’s the business who’s decided why you have that data, what you’re going to do with it, and how you’re going to process it. And that activates all sorts of responsibilities under GDPR.
Now, if you, whether you’re acting as the business or not acting as the business, if you take that data and give it to a third party, you have to have a legal basis for doing that kind of processing. That is a form of processing: to transfer data to somebody else.
What that business has done by transferring that data to a third party without a legal basis is it just violated the GDPR. And the business may not even realise that they’ve just violated the GDPR because it doesn’t even realise one of their employees has just done this.
DR: I know this for sure! I know lots of business owners who are, not just micro, they’re bigger than that. And the director is using their personal phone and they’ve had clients for years and they’ve signed up to various apps that say “give us your contacts” – and I know for a fact some of that data is mine.
TF: You’re right. And you can find little pieces of evidence that this is happening all the time, that your personal data has landed in other peoples’ hands.
Best example I can think of is, I was having a discussion with a personal friend of mine on a messaging platform – I won’t name names here – about a particular online store that they had just bought something from. I had never heard of this online store before. It was a specialist supplier of goods that I had never searched the web for before. Literally the next day, my Facebook feed is full of adverts for this exact company! It was very clearly targeted.
What I figured out probably happened is that company probably has my friend’s address book, and his address book has my phone number in it, and my phone number is linked to my Facebook profile. So, Facebook and the advertiser put all this together: my friend likes this store and just bought something there last week, so let’s see who my friend’s friends are and let’s serve ads to them.
Now, that is not a GDPR violation by my friend because the information he had he processed in the context of purely personal and household purposes, so GDPR doesn’t apply here. But what if that wasn’t a personal friend? What if that was a business associate, someone I’m doing business with? In that context, my phone number and contact details are personal data that is covered by GDPR because the business is the controller of that data. So in that case, the business will have just leaked out that personal data to a third party through its employee’s personal use of that data.
DR: That’s freaky.
TF: It is freaky, and it’s one of the reasons why BYOD policies, or ‘bring your own device’, really need a second look. People need to think: “Should we allow people to use personal devices for business purposes at all? Should they be allowed to receive work emails on their personal devices?” Or would it be better for the business to invest in company-purchased and company-managed phones so that the company can control what apps are put on there, what permissions can be set and, without fear of repercussions, wipe the data remotely at any time. Where you’ve got an employee using a personal device, can you insist they wipe the data on their device? No, you can’t insist on that. And sure, there are mobile device management software that you can install that create sandboxes for the business personal data and all that. But you know what, honestly, for all that effort just buy them a phone. Or say: “You know what? We don’t need you to have a phone. You’re job doesn’t require that. Either way, you’re not installing work emails on your personal phone. We forbid you, essentially – do not put business contact details in your personal contact book. If you need to call customers, you can call them from work, you can use the company-supplied CRM to find their phone number and use the company phone to phone them. You don’t give customers your personal mobile phone number. If you need customers to reach you on your mobile, come to us and ask for a company mobile phone and we’ll look to see if there’s a business case.” That’s how this needs to work. Because there’s no question there’s a lot of leakage that happens of personal data that way: through peoples’ personal phones, downloading apps and giving permissions.