BRing your OWN devIcE - BROWNIE
A short compendium to data protection and data security issues regarding BYOD
Prof. Dr. Nikolaus Forgó and
Leibniz Universität Hannover
Bring your own Device (BYOD) is an important trend in IT-industry. BYOD refers to the practice of employees collecting, processing (including, but not limited to storing) or using corporate (company) data on their privately owned ICT devices. The model may increase both effi ciency and output of employees and has important advantages; however, each company’s individual requirements and business environment demand thorough evaluation to determine whether or not BYOD is a usable tool for cost reduction and whether or not the advantages outbalance the challenges. From a legal perspective it is of particular importance to recognise that also in BYOD environments the employer exclusively remains fully liable for all job-related data processing on private devices of employees. Consequently, the level and effectiveness of data security measures need to be maintained on the same high level regardless of whether or not data processing is carried out on company owned or privately owned devices. This causes signifi cant challenges in practice which require precise and comprehensive legal agreements with employees as well as thought-through and state-of-theart technical implementation.
Whereas legal compliance of BYOD can be achieved by taking the right steps, it should always be considered whether or not the option to provide employees with company owned devices (which may be used privately as well, and which, in addition, may be chosen freely by the employees within certain boundaries1) would not constitute a signifi cantly easier model combining the advantages of BYOD with the safety of full technical and a better legal control of these devices. In total, a BYOD model must be thoroughly adopted to the company’s business model and processes within the IT-infrastructure, in particular regarding hardware and software ownership and maintenance (licensing), data ownership (personnel data / IPTs), IT Security policy, data security and liability.