7 March 2013

A survey has revealed that businesses seem to have a relaxed approach regarding using personal devices for work purposes. With nearly 50% of UK employees using their personal device (laptop, tablet or smartphone) for work purposes without the sufficient knowledge on how to use them safely and in accordance with the data protection act, this is concerning.

Devices are being used for email communication as well as accessing and storage of documents and personal information.  Without the correct measures in place this personal information is vulnerable and at risk.

The ICO have compiled a document, “Bring your own device guidance” highlighting the potential risks involved, the benefits and areas for consideration when allowing personal devices to be used within the work place.

The guidance offers tips to assist businesses in using the BYOD structure correctly, more securely as well as in accordance with the Data Protection Act.

The business still remains responsible for the control of data on these personal devices even though they are owned by the user rather than the business.   The data controller must ensure that the employees are following the proper protocol when using their device.  The appropriate measures must be in place to ensure the security of the data, protecting against unauthorised or unlawful access.  Great emphasis is placed on compliance with regards to the securing of data especially in these circumstances of BYOD where the security risks are increased.

A security measure encouraged by the ICO is encryption.  Data stored on these devices should be encrypted to ensure it remains secure at all times.

Data in-transit is also a major security risk, vulnerable to many types of interception.  The Galaxkey encryption solution, a complete end-to-end solution, eliminates this issue ensuring that the data is secured immediately when sent, in transit and only decrypted by the intended recipient on proper authentication and authorisation.  This is the Encryption solution that Galaxkey offers.

Areas for consideration for the data controller are listed below. The data controller should assess these criteria in relation to their business to ensure effective securing of data on the personal devices.

  • The nature of the data held in the business
  • Where business data is stored
  • The means by which data is transferred
  • Areas susceptible to data leakage
  • Potential for personal and business use to blur
  • The built in security capabilities of the device
  • Procedures to handle loss and theft of the device
  • The procedures in place for circumstances involving the personal device and the business data it holds when employment terminates.


For a more detailed look at the Guidelines compiled by the ICO follow the link below:

Read our ‘bring your own device’ guidance (pdf)


SC Magazine: