In the Era of COVID-19 and Data Protection, the Unavoidable Need for BYOD Policy Testing

Abstract

Sometime in 2018, the Nigerian Information Technology and Development Agency issued the Nigerian Data Protection Regulation (NDPR), which took effect in 2019. The NDPR mirrors the provisions of the General Data Protection Regulation of the European Union 2016/679 which provides extensive data privacy protection and regulation across board, including employment law and employment relationship. The NDPR has specific provisions regarding the privacy of employees’ personal data either furnished to employers at the commencement of employment or accessible to employers by virtue of access to employees’ work tools , such as office work stations, official laptop computers and mobile telephones, personal laptop computers and mobile telephones serving dual purpose of personal and official use. Many companies have no internal ‘Bring Your Own Device’ (BYOD) Policy that spells out the modus operandi for these devices, possible exposures and mitigations for likely breaches, and defining the extent of access to private information of employees; to aid employees in deciding whether to enrol or opt out of a BYOD. Furthermore, the incidence of the COVID-19 pandemic forced most enterprise in Nigeria, and indeed around the globe to either shutdown or resort to working remotely from homes using either personal or company issued devices. Interestingly, most Nigerian enterprise’ operate a BYOD by conduct without having a BYOD policy, thereby exposing these enterprise’ to possible breach. This article provides a guide to balancing the seemingly conflicting interest of safeguarding corporate confidential information and privacy rights of employees through a BYOD Policy.