Bring Your Own Data Retention Policy: Recommendations for Employees

7 minute read
Marisa Peacock avatar

As we enter a new Bring Your Own Device era, the line between personal and corporate data is becoming more blurred. With more consumers becoming more proactive about protecting their information across social media and mobile devices and becoming more in tune to how their information is being protected (or not), we at CMSWire were curious how consumers' own data retention behaviors are affecting how companies manage data.

BYOD Era Brings More Data Into the Enterprise

Whether it’s email, instant messages, discussion boards, social media or actual document creation, the amount of data growing in the enterprise is not only man-made, it’s largely created by employees. And not only that, creating data is no longer limited to the 9-to-5 work day. Now, most employees have access to company email, files and other systems practically any time they want, remotely from laptop or mobile device.

We’ve covered what companies are doing to help retain data for compliance or discovery purposes and the policies that guide them. From managing data more effectively to keeping archived content relevant and compliant, most advice about how to handle consumer technologies has been given from the perspective of the enterprise, not the employee.

Just in time for National Consumer Protection Week, we gathered insights from some reputable sources for recommendations about how consumers can manage their own data better, which may lead to better behaviors and awareness in the enterprise.

A Consumer Bill of Rights

We started at the top. A few days ago, the White House released a report called Consumer Data Privacy In a Networked World: A Framework For Protecting Privacy and Promoting Innovation In the Global Digital in which a Consumer Privacy Bill of Rights is introduced. It outlines a baseline of clear protections for consumers and greater certainty for companies. Specifically, it provides consumers with 7 basic rights when it comes to protecting consumer data:

  1. Individual Control: a right to exercise control over what personal data companies collect from them and how they use it
  2. Transparency: a right to easily understandable and accessible information about privacy and security practice
  3. Respect for Context: a right to expect that companies will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data.
  4. Security: a right to secure and responsible handling of personal data
  5. Access and Accuracy: a right to have access to and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate
  6. Focused Collection: a right to reasonable limits on the personal data that companies collect and retain
  7. Accountability: a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights

Ultimately adopting this will take more than just a declaration -- Congress and the FCC must agree to these terms, not to mention the companies that represent nearly 90% of the online advertising marketplace.

Politics aside, these rights outline exactly what the enterprise needs to be planning for and what consumers need to be more aware of as they engage online.Once consumers understand the types of information being gathered about them, they may think twice about using their personal device on company time -- which isn’t to say that companies don’t need to accommodate personal devices or change their own data policies.

BYOD at Your Own Risk

Next we talked with Wayne Wong, managing consultant at Kroll Ontrack. Kroll provides consulting, services and technology products involving data recovery and information management. I asked Wong what he recommends that companies should be requiring of those who opt to BYOD to work.

For Wong, there are two primary issues when it comes to data retention and employees bringing/using their own device for business, namely managing the retention of documents and promoting awareness among consumers of their separate "personae." He says:

Learning Opportunities

It’s fine for users to be running on their devices, but what happens when the user runs out of disk space? When you are utilizing an organization’s device, there are usually regulatory requirements for storing documents. This concept must also be applied to people using personal devices to do company work.

Users who opt to use a personal device at work need to understand that at some point data retention is goes beyond preventing loss of family pictures. Most consumers don’t run out and buy a backup system for their personal devices, but they should be aware of the many options available to them and more proactively look for a backup scenario that works for their lifestyle. For example, an easy and effective way to backup data is through an online system. This gives users faster recovery if an issue does occur and multiple access points to your data so you don’t have to carry around physical storage such as a USB stick."

For many of us, there may be a great overlap between what we do at work and who we are in real life, but our interests may not always be relevant or welcome as we cross between our personal and professional spheres. Wong encourages us to keep our business life separate from our personal life, as best we can. Many users may be surprised to learn that any work done on a personal device related to business does belong to the business and not the user. As a result, Wong warns,

If it gets lost or falls into the wrong hands, the user’s workplace can reserve the right to wipe the data remotely. Organizations must make employees aware of the authorized work storage environment from the very beginning."

A Social Experiment

Finally, we wanted to get the consumer’s point of view about data retention and management. How are employees managing their data so as to protect and enhance their privacy? Has increased exposure to smartphones and tablet devices, as well as cloud computing services made us more aware or more overwhelmed? 

A recent Pew Internet survey indicated that as more adults create social media profiles, more of them are tweaking the privacy settings to restrict access to specific groups of friends and users. However, do these behaviors carry over into the workplace?

I conducted an informal survey of friends and followers and asked has their increased awareness about how online information is collected led them to change they way they work professionally? What I found was a mix of general awareness coupled with blissful ignorance about what the online world knows about them or what they are doing with their data. They have either accepted that this as our new reality or choose not to dwell on it because it makes them feel sad and angry. As a result, they are a little more guarded about how they integrate personal devices at work, if at all. Most are not aware of a specific policy outlining mobile usage or data retention, but nevertheless have disciplined themselves to sign out of Google before searching or only use their smartphones for activities deemed personal or private.

What this tells me is that there is still a gap between what the enterprise is doing to manage data and what employees know about it. If policies exist, many don’t know about it or how it relates to them personally and professionally. Additionally, most of those I talked to seemed to be less concerned with privacy issues -- they were rather apathetic about how their information was being used. For some, if it was between agreeing to the terms and conditions put before them, or opting out and not being able to use the application, they’d click "accept" and hope for the best.

While this isn't the best strategy, it does invite more discussion and debate about what the BYOD enterprise holds for the future.