Lost mobiles could soon mean fines worth thousands

Wednesday 09 May 2018

As the summer beach and festival season approaches, loss-prone islanders ought to keep an extra close eye on their mobile phones, as losing them could now end up costing their employers thousands under new data protection regulations, a local legal expert has warned.

With GDPR due to come into force on 25 May, many companies are rushing to ensure their client databases are adequately protected.

But Bedell Cristin Legal Assistant Tom Harris is reminding them of one important area they may have overlooked: mobile phones. 

With many companies operating a ‘Bring Your Own Device’ (BYOD) policy involving employees accessing work emails and information from their mobile phones, a lost device could land them in serious trouble – in breach of the law and with a hefty fine – if a third party finds it.

Pictured: Bedell Cristin Legal Assistant Tom Harris.

Mr Harris explained: “With a month to go until GDPR becomes enforceable, businesses are rushing to get their houses in order, even more so in light of the recent Facebook-Cambridge Analytica scandal. Under the current data protection regime, Facebook should expect to pay up to £500,000… a mere drop in the ocean for a Fortune 500 corporation. However, had the data breach occurred after the 25 May, that fine could have been to the tune of £1bn.

“With such potentially astronomical fines, it's no wonder that data protection news has been focused on the responsibilities of businesses under the GDPR. But what about the individual employee? What are your duties and potential liabilities for data stored on your electronic device? What happens if you lose your device, someone finds it, and exploits the data stored on/accessed through it? 

“...As an employee you remain liable to your employer in relation to the company data once you leave the office. Having 24-hour access on your own device is likely to increase the chances of breaching your company's data protection policy, or make it easier to effectively assume the role of data processor yourself. That said, your employer is first and foremost responsible and liable under the law to prevent this from happening. In the case where you lose your unsecured device and someone else retrieves the company data from it, your employer will be legally liable and you will be liable to your employer.”

As such, he’s now urging firms to consider using software to separate personal company data on or accessed through the same device, as they’ll be “held to a much higher data protection standard” from 25 May onwards.

“With much broader and more stringent requirements on controllers, as well as the sobering new penalties for breach, employers will ensure the highest standards of policy, security and training in relation to you and the use of BYOD are enforced. 

“Although BYOD may represent a further potentially huge liability with the incoming data protection regime, it has nevertheless become an integral tool within many business sectors. You should therefore treat it like any other element of your company's filling system - with the utmost diligence and security,” he added.