This content is part of the Essential Guide: Enterprise records management strategy guide for GRC professionals
Manage Learn to apply best practices and optimize your operations.

Overcoming the data governance and security implications of BYOD

In this tip, learn the data governance and security obstacles businesses must consider when implementing a BYOD policy, and how to overcome them.

In recent years, more employees have been bringing their own devices to work. Think about it: Does management at your organization force its employees to hand over their personal smartphones at the door? Of course not. There's even a term that has become common in the business lexicon: bring your own device (BYOD).

As smartphones gained traction in the late 2000s, most organizations didn't know what to make of BYOD and how it influenced data governance and security. In the past three years, however, many IT departments have had to throw in the towel. Technology today is nothing if not ubiquitous and, amazingly, the number of connected wireless gadgets could triple by 2015. As a result, many organizations have stopped trying to tell employees which devices they can and can't use while on the clock.

If done correctly, BYOD programs can have many benefits for companies. Times are tight, and the cost savings from BYOD are potentially huge. First and foremost, IT no longer has to provision cell phones. Like any other trend, however, the pros have to be balanced with very real cons. BYOD creates unique data security threats, as well as an increased burden on IT staff.

But for better or worse, BYOD is here to stay. This is not just a private-sector trend, either. Government agencies obviously have numerous data governance and security issues to contend with, but it has not stopped them from jumping into the BYOD fray.

What can CTOs do when faced with these data governance and security concerns? They can lead, follow or get out of the way. Implementing BYOD policy to uphold data privacy and security isn't simple, and there are many considerations for effectively deploying mobilization across the enterprise.

Know your business environment

European governments have long pushed the importance of data privacy -- and to a far greater extent than U.S.-based corporations. The European Union's Data Protection Directive (DPD) roots go back to the 1980s and represent an early attempt at enforcing data privacy and security standards. Within the next few years, the DPD will give way to the General Data Protection Regulation. Businesses that conduct operations in Europe have to take these regulations into consideration when developing mobile strategy to ensure they aren't violating privacy when monitoring activity on personal devices.

Foolish is the organization in one industry that haphazardly bases BYOD policy on one that is effective in another, nonadjacent industry.

To date, the U.S. has not passed a single, unifying data protection law comparable to the E.U.'s -- and it's not likely to happen any time soon. Instead, the U.S. has adopted a more sector-specific approach to data protection legislation, and each industry must create -- and enforce -- its own statutes.

These statutes must be a top concern when implementing a BYOD program, but because of regulatory differences among U.S. industries, one size does not fit all when it comes to compliance. For instance, for nearly two decades, health care organizations have had to deal with the Health Insurance Portability and Accountability Act of 1996. The act forces health care organizations to protect patient data against malicious applications, malware and cyber threats.

In finance, on the other hand, an entirely different set of regulations sets the tone. While not specific to data protection, the Sarbanes-Oxley Act has wide ramifications for how organizations delineate data security responsibilities.

Foolish is the organization in one industry that haphazardly bases its BYOD policy on one that is effective in another, nonadjacent industry. An organization must closely examine industry-specific rules that apply to it, then develop mobile-related data processes to ensure company information stored on personal devices can be properly stored, maintained and, eventually, disposed of according to these regulations.

Know your employees

Here's one question an organization should consider when developing BYOD policy: Are most of the employees Millennials or baby boomers? Statistics show the former are much more likely to carry the latest gadget into work.

More on BYOD security

How does BYOD security influence regulatory compliance?

Prepare mobile security for the next wave of connectivity

Consider two workforces of equal size: Company A has a stable, mature workforce with an average tenure of 12 years. Company B has a high-turnover workforce rife with Millennials, and the average tenure there is three months. I'd argue that the need for a formal BYOD policy is much higher at Company B. The mature workforce of Company A means that it does not need heavy-handed rules and stipulations.

Another important question is whether the enterprise IT controls should focus on the device or on the user. It's an interesting question. Google Glass might be a few years away, but wearable technology is here to stay and could dramatically influence mobile technology in the workplace. FitBit and the Pebble Watch are just two more examples of what is an unmistakable trend: Many employees may soon show up to work not only carrying multiple devices -- most of which can connect to the Internet -- but even wearing them. With even more devices to contend with, the data privacy, security and governance impact cannot be ignored.

To this end, earlier this year, security companies began to rethink their data security models. Some companies have launched BYOD-specific end-user protection programs. The premise of these programs is less about protecting individual devices and more about protecting individual users and all of their devices. This holistic approach is a logical and intelligent one. Expect many security companies to follow this lead, and companies should consider these solutions when developing a BYOD policy -- and the data security processes that come with it.

Implementing a secure BYOD policy isn't easy, and it could be difficult to budget for. That's because calculating the precise ROI of BYOD is an exercise in futility, especially when you consider variables, such as the cost savings that come with BYOD versus how much you have to invest in data security once it's implemented.

Organizations must closely consider the data security, governance and compliance implications of BYOD, and it's vital to stay flexible when a program is implemented. New technology will always be on the horizon, and employees will always want to bring these new toys to work. Make sure they are not making sensitive company information vulnerable when they do so.

Phil Simon is the author of five management books, including the award-winning The Age of the Platform. A recognized technology expert and speaker, Simon advises companies on how to optimize their use of technology. His contributions have been featured on NBC, BusinessWeek, Fast Company, The Huffington Post, ABC News, The New York Times and many other tech sites. Contact him at or

Dig Deeper on Managing governance and compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization have specific data security and governance processes as part of its BYOD program?
This is something we are now looking into. In the past. In the past we only allowed authorized organizational phones on the system. So we are getting there.