Personal devices are an increasingly essential work-related tool, and have made mobile information management a big data governance concern. Chief among these governance obstacles is protecting corporate data assets while simultaneously avoiding personal information privacy violations.
In this Ask the Expert, Jeffrey Ritter, Esq., founder of the Ritter Academy, explains how mobile device use forces changes in companies' data management processes, and how companies can protect both their own information assets and employees' personal information.
You have talked a lot about how mobile device use is having a major influence on modern information management. Where does privacy fit into the equation?
Jeffrey Ritter: It's important to understand that personal information is emerging as a new kind of property. That's true for all digital information, but particularly because of the regulatory and the commercial interest in personal information. When we look at personal information being created, accessed, used or stored in mobile devices, privacy fits into the equation as almost two sides of the same coin. On the first side, a company has an interest in protecting the information assets of the organization. But does it extend to an employee that may be using a mobile device that includes personal information to access corporate records?
Companies need to build their controls and their rules to protect information out onto the mobile devices. At the same time, the company has some problems on the other side of the coin. If the mobile device is used by the employee for other personal affairs, or if it is a personal device, there has to be a way of putting in place rules that respect the privacy of the user of these devices with regards to their personal information that's not directly connected to the company's business. Those are really two sides of the same coin, but it requires different rule inventories to be developed by the company and put in place with the knowledge and consent of the users.
What information management processes are needed to separate corporate and personal data to avoid potential privacy ramifications?
Ritter: That task is actually one that is very difficult to do. Think about how all of us use electronic mail in our business. It's the rare organization today that was successful 10-15 years ago in saying 'you can only use the electronic mail platform we provide for corporate purposes, and you can never email your wife to talk about the grocery list.' It just doesn't happen anymore. When we are looking at corporate implementations of bring your own device, then it's not going to be rationally possible, in most instances, to say there is 'no personal aspect in those devices.'
Instead, you have to think about how to structure the information asset governance, the applications and the systems so that one is separated from the other. The management processes that are going to be important are firewalls, defined access privileges and access limitations for anyone using a corporate-owned device from a public Internet resource that is not directly related to their business. Those three things are where the friction occurs, and the best thing to do to protect the corporate information assets is to build in the right kind of access controls that keep the information within the firewall even if it's being accessed from a mobile device.
As told to Ben Cole, site editor.
Dig deeper on ID and access management for compliance
Jeffrey Ritter asks:
What steps does your organization take to protect both company and personal information privacy when employees use mobile devices for work purposes?
0 ResponsesJoin the Discussion
Related Q&A from Jeffrey Ritter
In this Ask the Expert, attorney Jeffrey Ritter discusses why clear data privacy and security rules are essential to mobile device management policy.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.