France: best practices for BYOD

As you know, “BYOD” is an acronym for “Bring Your Own Device”. More specifically, it is an emerging practice in companies whereby employees use personal computing devices for business purposes, including personal computers, tablets and smartphones. These devices may therefore be used in order to access professional information or applications such as client databases and e-mails.

This recent phenomenon originated from the United States and has started expanding in France. Although most companies are still reluctant, France is however one of the European countries which is most focused on BYOD.

Companies have good reasons to be concerned. The use by an employee of his personal computer to have access to the company’s information system may in fact present alarming risks of security. The employee’s personal device may not feature any protection and its use may result in virus infecting the company’s information system. In addition, the risks of disclosure of confidential data are significant.

As the employer is solely responsible for his information system, he only, can decide whether to prohibit or on the contrary, to organise and control BYOD. The employee can never impose the use of his personal devices to perform his professional duties.

The practice must be organised as soon as the employer decides to admit it, which requires at least minimal controls on employees’ personal devices. However, this control should not disproportionately infringe the employee’s privacy.

This is why the French Commission Nationale de l’Informatique et des Libertés (CNIL) issued on February 19, 2015, guidelines on the best practices for the use of BYOD, in order to reconcile the security of corporate data with the protection of employees’ privacy.

Firstly, the CNIL reminds that the use of personal computing equipment of employees for professional duties should not be their only way to access the information system of the company. Employer are required to provide employees with all the means necessary to perform their professional duties and this use should therefore be an alternative only. It consists more of an extra that makes things easier for the employee.

The CNIL then reminds that the employer is also responsible for the security of personal data, including when it is stored on personal devices which the employer granted leave to use. Therefore, the employer is required to safeguard against security risks by identifying the risks in the first place, then by determining the necessary measures to be implemented in a security policy and by raising employees’ awareness regarding the risks.

Finally and foremost, in order to protect the employee’s privacy, the employer cannot just take any measure. It cannot access private data of the employee which are stored on the device.

The CNIL specifies that the standard declaration on the management of employees or the appointment of a Data Protection Officer (“Correspondant informatique et liberté”) is enough to implement BYOD and that there is no need for a special declaration.

Finally, employer opting for BYOD must ensure, by means of proportionate measures, the correct balance between the security of its information system and the protection of his employees’ privacy.