Bring Your Own Device - International Association of Privacy ...

privacyassociation.org
  • No tags were found...

Bring Your Own Device - International Association of Privacy ...

Bring Your Own DeviceSome Data Privacy LawChallengesUlrich BaumgartnerLondon26 April 2012


osborneclarke.deData Protection Laws Applicable?• DP Laws applicable also to personal devices if used for professionalpurposes (Art. 3(2) EC DP Directive)• Company as controller• Employees using BYOD regarded as part of the company


osborneclarke.deData Controllers Losing Control?• Private and corporate data are accessed with one device– Generally, company is not entitled to access private IT and employees'personal devices– However, company has to „determine the purposes and means of theprocessing of personal data“ (Art. 2(d) EC DP Directive)– This requires to some extent control of the company over the privatedevices (or at least of part of it)


osborneclarke.deRegulators Losing Control?• Not entirely clear to what extent DPAs are entitled to control private devicesof employees• In practice, DPAs will ensure whether companies have control over their dataprocessing activities


osborneclarke.deRoll Out of BYOD• Consent might be necessary to implement BYOD• Consent requires a free decision of the employees• Issue: Free decision requires alternative choice– Possible Solution: Companies should offer alternative to BYOD (e.g.company phones/devices)• Ideally, alternative justification should be available (e.g. agreements with theworks council, statutory law justification, etc.


osborneclarke.deWorks Council Involvement• Work council involvement required in certain jurisdictions– Germany: Information/consent of works council generally required, asBYOD technology (i) at least able to be used to monitor employees and/or(ii) affects employee behavior– Similar requirements e.g. in France, Austria, Netherlands


osborneclarke.deData Security• Corporate data are accessed from private devices• This leads to additional risks beyond typical risks within the corporate ITnetwork• Employer must have remote access to devices in order to install securityupdates, lock access, remove data, etc.• Depending on technical solution, such access relates to the entire device or(ideally) to a container/sandbox app only


osborneclarke.deCommissioned Data Processing Agreement• Company to enter into an agreement with BYOD provider acc. to Art. 17(2)EC DP Directive• Key Provisions:– Technical and organizational security measures– Clear instructions


osborneclarke.deInternational Data Transfers• Additional requirements if BYOD provider processes data outside the EEA(Art. 27 EC DP Directive)• Companies should always check where data are stored/server locations• Additional safeguards– EU Commission standard contractual clauses– U.S- EU Safe Harbour certification


osborneclarke.deBest Practice for BYOD• Privacy Impact Assessment before roll-out• Establish BYOD guidelines/update existing policies and provide appropriatetraining to employees• Acceptable Use Policies have proved useful• Device Management Policy might be useful in some cases to register alldevices which have access to corporate data• Ensure that private and corporate data are technically strictly separated• No corporate data should be stored locally on private devices (prefer "virtualsolution")


osborneclarke.dePrivate & ConfidentialContactMarketing > Fotos > PP_Pitch > Kontakt 1Dr. Ulrich BaumgartnerRechtsanwalt/PartnerOsborne ClarkeMunichT +49 89 54348078F +49 89 54348079ulrich.baumgartner@osborneclarke.de

More magazines by this user
Similar magazines