A ‘Bring Your Own Device’ policy (BYOD Policy) is essentially a set of rules applicable to employees who want to use their personal devices for work purposes. No policy is a one-size-fits-all, so you should use this as a guideline only and determine what will work for your business.
Here are the five elements that are usually covered in a BYOD policy:
- Is it voluntary or mandatory for employees to use their own devices? This will depend on your type of business.
- Who must comply with this policy? Consider whether you want all or only some of your employees to do work on their personal devices. What about temporary employees?
- Which devices are supported? Generally, you should not allow employees to use jailbroken or rooted devices. You should list the minimum system requirements and configurations. It may be prudent to include an approval process. For example, an employee must first present their device to your IT department for approval before it may be linked to your network.
- List clear security requirements. Employees should follow the same security rules when using their own devices as when they use company infrastructure. If you have an acceptable use policy already, these rules will be listed there. Do you need to add anything for personal devices? For example, you may want to implement the capability to remotely wipe the employee’s device when they leave your employment or if the device is compromised (lost or stolen). Certain conduct should be prohibited such as sharing use of the device (e.g. an employee allowing their child to use it).
- You’ll need access to company data on the employee’s personal device. The employee should be made aware of the nature, extent and reasons for any monitoring or access to data on their personal devices. You should make it clear that they cannot expect complete privacy. It may be necessary to invest in software that would allow company data to be kept separate from an employee’s personal data so that your monitoring and access is limited and that the employee’s privacy is not violated.
In addition to having a BYOD policy, you may need to update affected procedures and guidelines to implement it.
Keep these in mind:
- Maintain a record of consents, you may need it later.
- Define permissible use. Provide guidelines regarding access to apps, cloud-based storage systems and wireless networks.
- Take other policies into account. The BYOD policy should cross-reference other applicable company policies.
- Provide training to your employees on the content of the policy and your security requirements.
- Update your exit procedure to include disconnecting the employee’s device from the company network, uninstalling company apps and software and wiping company data.
- Consider whether you want to reimburse employees for the use of their devices and review applicable legislation (think tax and employment laws).
If the thought of writing your own BYOD policy is overwhelming, we’re standing by to help you. Get in touch!