Using personal mobile devices for work could come at a price

This interview is based on research by Oriol Cremades

Many employees are using their personal phones or computers for work. The line between work and personal technologies is blurring. This trend is particularly reflected in the growing use of BYOD in companies, where employees use their own devices for work, also encouraged by different models of teleworking.

Although it may seem a harmless habit, employees and employers should think twice before using personal mobile devices at work, warns Esade researcher Oriol Cremades.

Using personal mobile devices for work can offer many advantages. But the negative consequences for both employees and employers may outweigh these advantages.

BYOD: What is it and what does it mean in the workplace?

The term BYOD, which stands for ‘Bring Your Own Device’, refers to an increasingly common practice. BYOD in companies allows employees to use their personal devices for work activities, which represents a significant change in the traditional way of working.

Instead of using only company-provided devices, employees can use their personal devices for work activities, such as sending emails, making calls or using work applications.

The use of personal mobile phones at work is a clear example of BYOD.

Do Better: Is it a bad idea to use personal devices for work?

Oriol Cremades: Many people use their personal mobiles for work unaware of the potential consequences. Sharing business data in personal mobile phones can be risky for companies – it can lead to security breaches, viruses and loss of information. For employees, this practice can lead to a breach of their rights.

Examples of BYOD in companies

In Spain, a clear example of BYOD in companies and violations of workers' rights can be found in a recent sentence of the National Court. It deals with the case of a food delivery company that forced part of its employees to be geolocatable (the so-called Telepizza case). Specifically, the company obliged delivery employees to use their personal mobile phones so that they could be geolocalised when making deliveries.

Many people use their personal mobiles for work unaware of the potential consequences

Two labour unions (UGT and CCOO) took legal action against the company and won. The court was very clear in its verdict: the measure violated the workers' right to privacy, violated data protection regulations, constituted an abuse of rights, and resulted in unfair enrichment of the employer.

BYOD and security: Key business risks

There are many risks. One of them is the lack of separation between work and personal and family life, an issue related to the so-called right to digital disconnection. The practice of BYOD or BYOD methodology in companies can lead to techno-stress and unpaid and uncompensated overtime.

Other risks that are not strictly work-related include losing the mobile device or breaking it, which in turn, leads to a loss of information or, in some cases, a security breach. If you use your personal phone for work without your employer knowing about it, you could be endangering the company’s system security. This has happened to politicians. For example, Hillary Clinton used a personal email server that lacked security for work-related matters and her emails were subject to repeated attempts at intrusion.

BYOD could lead to technostress and uncompensated or unpaid overtime

Another risk is the violation of employees' fundamental rights. For instance, an employer could suspect that an employee is using his personal mobile device to transfer information to his competitors. If the employee is using a company device, the employer would have the right to access that device if there is a suspicion (and, in any case, in compliance with the regulations and case law applicable).

But in the case of personal devices this would not be an easy legal matter because the risk of violating fundamental employee rights rise exponentially, especially privacy rights, personal data rights and the right to confidential communications.

Separating the work area from the personal area is a key measure to ensure BYOD security and to limit the company's access to the work environment only.

It sounds legally complicated...

There could be a way to tackle this. An employer could establish an internal policy that states whether personal devices can be used and under which circumstances. But this does not solve the problem. A better solution would also be to separate the working area from the personal area within the device through an app or similar and install strong security measures. This would allow the employer to access the working area only when there is suspicion of a privacy breach or when it is necessary to control or check the job performance of an employee.

Employers cannot monitor employees’ emails indiscriminately

A more convenient solution would also be to separate the work area from the personal area on the device through an app or similar, and always including very strong security measures. This would allow the employer to access the work area in case of a suspected security breach or when necessary to monitor or verify the worker's performance.

This measure is essential to balance the advantages and disadvantages of BYOD, allowing to take advantage of the convenience of personal devices while minimising security and privacy risks.

But this is no longer true...

BYOD practice is possible because of a widespread cultural trend that is blurring the line between work and private and family lives – and also because of the general vulnerability of employees in labour contracts. Additionally, mobile devices that used to be provided only by companies are now affordable by a large majority of employees.

It is also due to the generalised position of vulnerability that employees have in employment contracts. In addition, mobile devices that in the past were only provided by companies are now accessible to most workers, as their prices have decreased, and they are more affordable.

Sharing business data in personal mobile phones can be risky for companies

What does the law state about the use of personal electronic devices at work?

There is no specific and clear legislation concerning the effects of this practice – known as Bring Your Own Device (BYOD). Spanish legislation – even labour and data protection regulations – are based on the assumption that employers provide employees with the devices needed to do the job.

Can employers check employees' emails indiscriminately?

Definitely not. Regardless of whether an employee is using a company or personal mobile, employers cannot monitor employees' emails indiscriminately. Employers are obliged to comply with several rights (such as privacy rights, personal data rights and the right to confidential communications) and case law criteria. An employee must be well informed about potential checks in advance and employers can only inspect devices if there is a suspicion – and even then an employer must be very cautious when accessing the device and his inquiries must be delimited and proportionate. For instance, employers should search for very specific keywords (e.g., the name of competitors).

When is a breach of privacy rights most likely?

A breach of privacy rights may happen at any time throughout the life of a labour contract, but an employer may have incentives to breach employee rights when he knows that the labour contract is about to be terminated – because he may think that there is nothing to lose with that breach.

If an employee is suspicious that his or her rights might be violated, he or she should seek the support of employees' representatives, the Labour and Social Security Inspectorate or a lawyer.  

How would you solve the BYOD legal challenge?

I think we need to get to the root of the problem because case-by-case legal actions and solutions don't solve the challenge. In my research, I suggest that all collective bargaining agreements should compulsorily include a clause about BYOD policies, including a general principle of specific and adequate compensation.

Labour contracts should also include a clause that states that when the employee uses his own personal mobile for work, the employer must pay an adequate percentage of the related costs to prevent employer's unjust enrichment. This contractual clause would be a materialisation of the mentioned general principle compulsorily included in all collective bargaining agreements. These measures would ensure that all employees are protected at a very basic level. It would be a first step towards a BYOD future that could guarantee employer and employee rights.