Bring Your Own Device and Your Own Governance Policy

Bring Your Own Device and Your Own Governance Policy

Bring your own device (BYOD) is not a new concept, but it is gaining adoption and many organizations are struggling to get their arms around it.  Ensuring appropriate policies and controls are in place to ensure the protection and privacy of corporate data are challenging enough. It is significantly greater when the data is going to access from just about anywhere by a variety of personal mobile devices. Setting up the right governance and security policies for data in this new model is complicated more so by the fact that personal data and a personal device must also be considered.

As I discussed in my recent interview with Search Compliance, one of the major pain points of BYOD is the mixing of corporate data with personal data on these devices that are being used for business purposes. The main concern: how do you ensure that you’re maintaining the delineation between what is corporate data and what is personal data on that device? That differentiation remains a gray area if business communications are occurring through the personal text app on the device. It raises concern that all personal texts could potentially be considered part of discovery in litigation.

There are some obvious benefits of allowing people to use their own device. It allows business activities to be agiler and time improving efficiency and even competitiveness. However, often a big issue for users is their reluctance to relinquish significant control or management of their device to their company’s IT department to manage, which is often a requirement to participate in the BYOD program. It’s also counter to how IT departments have functioned where they set hardware and software standards to improve its ability to support end users. When it’s effectively “your own device” it establishes a much wider range of choice and that can complicate IT operations.

Historically, email has been easier to manage on personal devices because it was a single app and more easily managed. But when you consider shared file services, where you can now access corporate information (files) and open it on your tablet or your smartphone, it is difficult to ensure the data is secure and privacy controls are in place so it is not inadvertently shared or stolen. Organizations need to be able to ensure that appropriate governance is in place and only specified data is accessible by personal devices and that it can be effectively managed.

One way organizations are addressing this is to get their governance programs in place to manage this unstructured file data and then apply these processes to the distribution endpoints, i.e. a personal laptop, tablet or a smartphone. The idea is to get the right retention and compliance policies in place so that when mobile access to file sharing is available, the rules and the security measures are already in place. Security and privacy on the devices themselves are areas that will continue to cause concern, but the market is beginning to see new technology and apps addressing the issue of security on the actual devices as well as clear separation of personal and business data.
The bottom line: organizations should be looking at getting their information governance programs in place, so that information is managed appropriately with the right policies, rules, and privacy built into them so that they are able to allow access from individuals’ personal devices.