Bring Your Own Device: Data Privacy Recommendations And Technical Implementation

For many, everyday life without smartphones and tablets is virtually inconceivable. These devices have become constant companions in day-to-day life. Times when only a privileged handful of executives were granted access to active business communications and corporate data while on the road have gradually come to an end.

This article shows essential parameters of relevant data protection law and technical matters. These are facts that companies in the European Union have to keep in mind if they plan to allow employees to use their private smartphones for business purposes (“Bring Your Own Device” or “BYOD”).

Why Is Data Protection Law Relevant at All?

As the data controller (pursuant to Article 2 (d) of the EU Data Protection Directive (95/46/EC)), a company bears responsibility for the compliant processing of personal data also when such processing is conducted on an employee’s personal smartphone. Unlike company-owned smartphones, if no prior agreements are in place for privately owned smartphones, a company has only limited options when it comes to instituting and enforcing technical and organizational standards regarding secure data processing on private devices.

Recommendation: Policy Agreement with Employees in Advance

Taking these considerations into account, the first recommendation is to use only company-owned hardware within the company. However, if a company plans to permit the use of private smartphones, a written policy between employees and the company should be established right from the start, specifically to avoid liability problems, to defuse potential conflicts (e.g., telecommunications secrecy), and to ensure the orderly processing of business data on private devices.

The following list of standards and rules covers the main issues that any such agreement should contain:

Separation of Private and Business Data

To avoid access restrictions for the company, private and business data have to be separated as distinctly as possible.

This separation elucidates the primary requirement that needs to be resolved within a BYOD strategy. All smartphone platforms currently sold and actively developed, such as the Apple iPhone (iOS), Google Android, RIM’s BlackBerry and Microsoft Windows Phone, basically come with the option to manage multiple email accounts on the same device “separately”. Typically, companies use Microsoft Exchange (“Outlook”) or Lotus Domino (“Lotus Notes”) as their messaging systems; these applications also provide business calendars and contact data that are easy to synchronize with the smartphone.

But to establish a “clean” partition between private and business data, further action has to be taken. If the user forwards private emails via the company email account, these messages are dealt with under the control mechanisms of the company’s messaging system (e.g., legally mandated mail archiving). The other way round, there is likewise a risk that company data will be forwarded unchecked via the private account. Privately installed smartphone applications (depending on the mobile platform) can enable access to email accounts — undetected by the user — and automatically transmit confidential information to the outside world.

These risks need to be minimized and, wherever possible, stopped as soon as a private device connects to the company’s IT system. IPhones, BlackBerries, as well as devices among the Android and Windows families of phone already come with various manufacturer-installed settings that can be used by the Mobile Device Management software.

Rule on Data Access

In advance, an agreement should be established with employees regarding the company’s authorization specifics for (remote-) access of smartphone data. Legal background: Any hidden data processing operation legally bears greater weight than a transparent data processing action. For example, if the company wants to access personal data, such as information about the core inventory of privately installed apps, information about configurations for private email, WiFi and Virtual Private Network (“VPN”), as well as information about the roaming status for detection of foreign travel, there has to be an agreement in place covering the processing of the collected data.

Rule on the Question: When Is the Company Allowed to Delete Data?

It may be preferable for the company — especially if a smartphone is lost — to be able to delete any data stored on the smartphone by remote command. However, this delete command would also affect the employee’s private data, depending on the operating system and the Mobile Device Management (“MDM”) solution in place. For this reason, it is recommended to institute a rule at the outset.

The standard options of most common messaging platforms essentially permit complete device erasure even without any additional MDM mechanisms, provided a connection to the device for data synchronization purposes still exists. But technically speaking, the trend runs unequivocally towards both establishing a clean separation between private and business data on the devices, and allowing the ability to selectively delete company data. Today, RIM, for example, can consistently implement this service with “BlackBerry Balance” (serving only BlackBerry devices). The company Good Technology Inc. does the same for iOS (iPhone/iPad), Android and (to a limited extent) Windows Phone. Apple adds options to its profile-based MDM specification to allow companies to remove, in a targeted manner, their email accounts from devices, along with other centrally administered configuration settings. The MDM solutions offered by suppliers AirWatch and MobileIron also incorporate this option and implement it. Integrated “self-service portals” enable the user to automatically initiate these kinds of actions — a desirable option in the event of loss, for example. As soon as the user activates the MDM-based administrative integration, the user explicitly confirms (through an on-screen dialog) the scope of data that the company’s IT department is able to delete from the device.

Employer’s Rights to Treat Private Devices on Par with Company Devices

As a follow-up to the matter of “When is the company allowed to delete data?”, we propose a rule clarifying from the employer’s perspective that, in principle, the employer may deal with the employee’s private smartphone in a manner equal to that of any other business hardware.

In terms of administration, this specifically applies to the control and/or deactivation of specific device functions. The potential issues here range from the deactivation of internet-based voice recognition through Apple’s “Siri” (an internal policy at IBM, for instance), to the suppression of automatic data security through cloud services, to permitting the installation of apps only from a catalogue of in-house applications, and not from public app stores like Apple and Google. Technically speaking, the ability to effectively administer such rules depends on the smartphone’s operating system and the MDM solution installed on it.

Rule on the Use of Monitoring Tools

When using (technically recommended) monitoring tools to track the correct system status and the permitted system usage, two specific points pertaining to data protection law must be taken into consideration: 1) the type and nature of data processing, and the associated purpose, must be described transparently at the beginning; and 2) when software of (particularly non-European) third-party service providers is in use, the company must observe data protection regulations to safeguard an adequate level of data privacy protection.

For example, there should be a clear-cut agreement with the device owner prior to activation, even for a truly useful option like device positioning (if the phone is lost), such as offered by AirWatch and MobileIron for iPhones and Androids. Special attention should be paid to detecting a “jailbreak” (iPhone) or a “rooting” (Android). (“Jailbreak” and “rooting” are processes for removing the limitations imposed by manufacturers, allowing users to attain privileged control.) Smartphones in this condition can be used beyond the options intended by the manufacturers in order to operate unauthorized software, for example. But for security reasons, this method of enhancing functionality — which is popular among private users — cannot be tolerated within a corporate context. The majority of MDM solutions are not operational unless the user is prepared to allow his or her private device to be monitored within the agreed parameters. In the BYOD use scenario, most MDM solutions respond with automatic measures for detected violations of security guidelines. These solutions range from a mere passive notification to the user and the responsible IT offices, in the most basic case, to an active interruption of mail synchronization until the user independently restores conformance with the rule/policy to the deletion of all corporate data, in the most extreme case.

In this context, Good Technology Inc.'s approach stands out: Company data is stored in self-contained (and encrypted) app containers that allow no direct exchange whatsoever with other apps on the device. The app container communicates with the company IT department through a dedicated, encrypted channel. This way the user-controlled settings to guarantee secure operation are no longer a decisive factor to the same extent and become substantially easier to manipulate. In addition, of course, a jailbreak/rooted test and report (i.e., using the software of Good Technology Inc.) remain indispensable.

Standards on the Setting of System Parameters

We recommend standards stipulating in writing that the employee must activate certain security settings on his/her smartphone, and, as soon as they are set, the employee is not allowed to change them anymore (for example, rules on password assignment, automatic smartphone disabling, enabling GPS positioning in the event of loss, etc.).

For a practical setting, the company should compile documentation individually tailored to the company’s situation, arrange introductory training for employees about their private devices and provide access to trained support personnel.

Rule on the Allocation of Liability

To avoid the eventuality of legal disputes, we recommend the establishment of an agreement on the allocation of liability between employee and employer.

Notification Duty in the Event of Loss

Of particular importance (especially with respect to potential data breach notification requirements) is the employee’s obligation to immediately notify the employer in the event of a smartphone loss.

MDM solutions also support this organizational action with the “self-service portals” discussed earlier. The employee can both 1) initiate contact with the helpdesk through this portal, using any PC with internet access in order to submit his or her loss report through formal channels, and 2) take immediate action by attempting to locate his or her device, and conducting remote deletion.

Use of Private Smartphones by Third Parties

Additionally, it would be advisable for the employer to prohibit the employee from allowing third parties (such as friends and family members) to use his or her smartphone, thus ensuring that it is the only employee who can gain access to company data.

If the private device is intentionally passed on to a third party, the protection of company data can be supported technically only by protecting access to business data with one’s own password, regardless of the type of device. “Good for Enterprise,” for example, administers this protection for its own mail app, whose data are automatically encrypted, regardless of any other device encryption system that may be activated.

Performing Repair and Maintenance Work

Employers and employees should agree on rules on the regular performance of repair and maintenance work (installing updates by the IT department, not submitting the smartphone to third party repair workshops, etc.).

Conclusion

If companies permit the use of private smartphones, they remain legally responsible for the data processing performed on these devices, but, on the other hand, they are not allowed to fully control the data processing on the device and to enforce internal IT policies. Therefore, it is imperative from a legal standpoint to agree to a preliminary rule with the employee to define a reasonable balance between the liability risks, on the one side, and the benefits from the use of private smartphones, on the other.

How to provide technical support for the business use of private devices depends both on the smartphone models acceptable to the company’s IT department and on the selected MDM solution. Today’s strictest approach to separate private and business data for Android and Windows phones can be found among the products from Good Technology Inc. But even this solution does not fit every business situation, and therefore must be carefully examined prior to use.

Irrespective of most recently deployed technical solutions, all IT activities on private devices should be documented precisely and transparently for the employee bundled up with data protection agreements. Given the dynamic nature of this task, we recommend establishing an effective and easy-to-manage documentation process.

Dr. Sebastian Kraska, an Attorney and External Data Protection Officer in Germany, may be contacted at sk@iitr.de. Peter Meuser, an Independent IT Consultant with iTlab Consulting in Germany, may be contacted at pmeuser@itlab.de.