A survey carried out on more than 1,000 businesses by the Ponemon Institute in April, found that more than half of those companies said they wouldn’t be compliant by the new GDPR legislation deadline.
Now, having come into effect just over a month ago on May 25th, all businesses and organisations should be following the stricter GDPR rules to ensure their compliance.
But what about employees who use their own devices for work, thereby holding personal and possibly sensitive data about clients, customers, prospects, suppliers and colleagues?
This could be a real issue for SMEs who may not have considered how to combat this new problem following the recent changes to data protection regulations.
Employees who use their own personal devices to access and store sensitive data creates a grey area, which can run a high risk for employers.
One way to control this is to have clear guidelines on who is allowed to use their own device, perhaps limiting use to certain job roles.
Another popular way of preventing businesses falling foul of GDPR is to create a ‘Bring your own device policy’ (BYOD), where employers can set up a system for authorising the use of personal phones and keep a record of who is using their device for work purposes.
Staff who use personal devices holding customer data should consider using a strong password to lock their device, make sure the device is capable of locking automatically and enable a setting whereby data is automatically deleted if an incorrect password is entered after several attempts, or if the device is inactive for a period of time.
The way in which the data is transferred should also be made secure to prevent third party access. One way to ensure sensitive data is kept safe when shared is to use encryption software, and by transferring it via an encrypted channel.
Assessing the security of any open network or Wi-Fi connection is essential and employees should refrain from downloading any unverified or untrusted apps that may pose a threat to the security of the information held on their devices.
Another consideration to enforce a compliant BYOD policy, is mobile-device management, whereby an employee must ensure that his/her device is able to be located remotely and allows for data to be deleted on demand, if it is stolen, upgraded, recycled for money or given to family or friends.
There should also be a policy for the retention and deletion of personal data, whereby employees must not retain personal data for longer than is necessary, unless there is a requirement to retain it for longer to comply with any legal obligation.
They must also ensure that if they delete information, it is deleted permanently rather than left in the device’s waste-management system.
If an employee uses removable media such as a USB stick to transfer personal data, he/she must ensure that the personal data is deleted once the transfer is complete.
A BYOD policy should also ensure that once an employee leaves the organisation, they must delete all work-related personal data on their own device prior to their last day with the organisation.
Overall, SMEs owners/leaders should ensure all staff understand what amounts to personal and sensitive data and the obligations when holding such data.
Having a BYOD policy in place will control and secure the use of sensitive data and ultimately, reduce the chance of receiving a large fine for breaking the new data protection rules.
By Kirsten Cluer, HR Consultant and Owner, Cluer HR