In the past few years the job of the CIO has changed so much. Technology moves faster than ever; the rate of change create new challenges for the CIO. Perhaps nothing has had a bigger impact on CIOs than the growth of mobile; especially the management of mobile devices and apps, which are often not owned or fully managed by the enterprise.
Given BYOD and the blurred governance lines of mobile for personal and professional use, how much privacy can a company offer employees? One assumes a right to discretion; however, the way we share, monitor, and store information means we likely have little real privacy. Where do the law and your responsibility as CIO begin and end for mobile technology and staff expectations?
How data is tracked and stored
To get a better idea of the relationship between privacy, data storage, and your rights, look at Apple’s built-in GPS. This standard iPhone feature, with location services enabled, collects information on when and where you use your phone-and for what. This data (though not transmitted over the web) can be used for location-based ads and to recommend spots based on your interests.
This data collection is very common—and it’s likely taking place with an app you’ve downloaded or an agreement you’ve signed. Those harmless Facebook quizzes that tell you which Star Wars character you are? They exist to collect your personal information, which you consent to by participating. The relationship between data storage and privacy is shockingly (and legally) fluid.
What the law says
Much of this data collection seems harmless and passive since it is mostly designed for providing a better ad experience. But the invasive nature of such tracking and data collection on mobile devices that share sensitive company data can be unnerving for CIOs, leaving them to wonder what the best ways are to protect company data without overly restricting employees’ mobile experience.
Such privacy risk may be fine for a desktop that’s never “on the clock,” but if you connect to the web professionally, there’s a lot to consider. For example, many states have enacted laws requiring companies to reimburse some or all employee phone-service plan fees when they use personal devices for work. Unfortunately, few specify what data belong to the user and what belong to the organization.
There’s no legislation that specifically regulates BYOD, but plenty of laws govern data obligations and privacy. Because so much goes on behind the legal scenes, it’s important to understand your and your employer’s legal obligations:
- Notification laws: Depending on the industry, state and federal laws have stringent requirements about what information can be shared. HIPPA regulations are especially strict. A healthcare professional must carefully guard patient information on a smartphone or tablet.
- Data security: Accordingly, companies will want to keep their data safe if employees are logging on and sharing content. Trade secrets, for instance, could be a big concern for executives who conduct business on a mobile device. International data protection laws may come into play.
Understanding these official restrictions is a good starting point, but the privacy employees are entitled to depends on the usage agreements they sign with their employer. Contractual obligations are the most important factor when it comes to confidentiality.
The CIOs guide to better BYOD
Contracts get made every day in our interconnected world. Staying informed on these obligations is your best defense for protecting the company’s interest while providing employees personal privacy. Sadly, data agreements are so common that they’re easily ignored. Employees may not take the time to read through every policy they come across-but it is important that they do so for BYOD. Mobile Device Management (MDM) affects every part of the organization that uses mobile devices, so study these areas before agreeing:
- Enrollment: This should simple and easy for new users. An email could send users to an MDM enrollment process that requires a quick click. This will automatically gather and store basic user information, so expect some data commitment at this step.
- Device configuration: The MDM system you implement for employees should allow for over-the-air configuration. Once configured, profiles, settings, and credentials will be delivered to the storage infrastructure. Expect prohibited access to restricted applications as well as warnings when data usage limits are exceeded.
- What’s prohibited: An MDM system can detect information like personal calendars, contacts, and emails, text messaging, application information, voicemails, and caller history. Furthermore, read about the gadgets you’re allowed to use. Most people juggle multiple devices professionals and informally; taking a new tablet to work may seem innocuous to many employees, but is it secure enough for them to share company info? Helping them understand the difference will reduce the chance they unintentionally violate a usage agreement.
- Self-service standards: To get work-related devices functioning as quickly as possible, employers may allow (or require) you to set up the device personally. Common self-service functions include: password and PIN reset, geo-location for lost devices, and the ability to erase a device remotely.
- Monitoring standards: Most likely, a BYOD agreement means a company will monitor its connected devices and return data to pinpoint areas that need adjustment. Create a clear statement about what info the company reserves the right to collect.
Once employees sign on the dotted line, they take responsibility for updating their devices. CIOs should do more than just get the signature. They should provide continued education and guidance as to the best ways for employees to manage sensitive data on personal devices.
To further clarify the relationship between personal and corporate data, consider teaching employees the importance of, and best practices for, storing company applications, documents, and other business information separately. If the business pays for a data plan, you may consider tracking usage.
Privacy is always a contentious issue, and never more so than today when people’s digital public, private, and professional lives are so intermingled. It certainly isn’t an issue to take lightly. What are your thoughts on this? Do you have a plan in place?
A version of this article originally appeared on V3B.