This article forms part of our Policy and Procedure Framework.
Data Control Foundations
As an IT provider it is a given that we want to help customers control their data and their customers data. It is after all a legal requirement for customers to be compliant with UK GDPR law. The basic foundation of data control is to ensure your organisation owns the technology upon which your data resides and has (typically via an IT provider) full oversight and management capability of the services and software used to access and edit that data.
When an organisation owns the computers or mobile phones their users operate as part of their job function it is possible to maintain a high level of oversight as to who uses these devices and what data is stored upon them. Most importantly from a data security point of view, organisations can take possession of the equipment and data that resides upon them when a member of staff leaves the organisation.
For cloud-based services, owning the technology can simply mean there is a billing relationship and contract in place between the organisation and the IT provider or a third party that guarantees a right of access and management.
If you allow your users access to organisational data via their personal devices (such as mobiles, tablets and computers) you are taking a significant risk. There may be advantages in terms of reduced cost to the organisation and increased convenience for the user but this is outweighed by significant disadvantages.
Allowing users to use their own devices gives no control over scenarios that can happen accidentally or deliberately:
- A user can copy data entrusted to your organisation onto their personal devices.
- A user can put their own personal data into your organisations systems.
- A user can delete data entrusted to your organisation from your systems.
- A user can introduce viruses or malware to your organisation.
- A user can weaken the security of your network by exposing it to security threats.
- Full control of your organisations data is lost.
All of these are breaches of best practice and could also breach UK GDPR law or weaken compliance.
If your organisation wishes to mitigate these factors, it must have ownership or control of systems at its disposal. There are various ways to achieve this and all can be deployed in a way most suited to your organisational needs.
Own and prepare the technology.
If we issue technology to your users we can ensure they are properly set up to keep your systems secure. Whether they are laptops, desktops, tablets or mobiles when you have legal ownership of the device we can enforce security and usage policies and have the ability to remotely wipe or take possession of those devices at any time.
Own and manage the services.
Common sense suggests that the data you use should be hosted on equipment you own or in the case of ‘cloud hosted data’ should be managed by us a competent IT provider; users themselves must not be responsible for implementing what services they use to do their work. As obvious as it might sound if you let users set up their own services (such as email or data hosting) then you can’t expect to have any oversight on it.
UK GDPR, PCI Compliance and Cyber Essentials
Simply put, if you do not own the technology and services that your data resides on and your IT provider does not have full management capability of that same technology and services then the chances of breaching UK GDPR at some point is extremely high. Likewise, organisations that need to be PCI compliant or Cyber Essentials complaint are also unlikely to meet the necessary standards.
The decision to allow users access to your organisations data on their own personal devices is a choice you must take in an educated way. When you make this decision, you walk the line between data security on the one hand with low cost and high convenience on the other. Most organisations will choose security over price, what will yours do?