Bring your own device (BYOD) as a technology initiative breaks new ground for organizations in many ways. Besides offering users increased mobility options, intermingling personal tablets and smartphones with sensitive corporate data such as product plans, financial reports, and internal communications opens up new questions about data ownership.
Data ownership may have never entered your vocabulary -- except for corporate non-disclosure agreements -- because employer-owned mobile devices were the rule of the day. When embarking on a BYOD initiative, it's time to review your organization's data ownership policies to protect your corporate information and organization as a whole. The data ownership policy content must be reviewed by your management, IT group, and legal counsel at regular intervals to ensure it is up to date.
If you have been operating with a verbal data management policy, then BYOD makes it time to formally document data ownership. This policy should include data categories such as unrestricted corporate data (think public domain content like marketing collateral), sensitive corporate data (customer information), and critical corporate data (corporate financial, strategic, and product planning data). Your data ownership policy needs to consider how mobile devices users can access and store such data on their smartphones, tablets, and laptops. Depending on the results of your internal policy review, your organization may want to designate specific user classifications for BYOD and corporate device users.
While data ownership over corporate documents is straightforward, the Fast Company article "Making Sure BYOD Doesn't Mean 'Bring Your Own Disaster'" raises some valid questions over other business information:
But what about information like phone numbers and contact information of people who reside in your personal contact application? If you are a sales or support person and your phone number is published as a work number for people to reach you, does the employer expect to use that number when you leave the company?
You must answer these important questions and usually others in your data ownership policy prior to going BYOD. It's even more important to answer these questions if you are in a competitive industry where alpha sales people are prone to move around to your competitors. These decisions must be documented in your data ownership policies and signed off by mobile users taking part in your BYOD initiative. In the case of career sales people, you may run into some who always keep their own set of customer contacts on their personal smartphones and tablets. Their personal devices may never touch your network. These sorts of matters can be tricky to enforce and are an issue for sales management to resolve, not necessarily the IT group.
Your employee onboarding and exit processes also should be updated to ensure you are reinforcing data ownership policies. When an employee comes on board, his or her personal mobile devices should be prepped with your security software to secure your corporate data, and the new employee must receive training on your data ownership security policies. Likewise, when an employee exits your company, processes must be in place to remove your corporate data from his or her devices.
Did your organization review its data ownership policies before rolling out BYOD?