Voted Best Answer
Mar 13, 2018 - 03:54 AM
I don't think BYOD precludes compliance with privacy requirements, as long as you're sandboxing corporate data on those devices and make it sufficiently difficult for data to be lost/transferred. Ultimately you'll never prevent a determined/disgruntled employee from leaking data but I would imagine, like PCI-DSS, what you'll need to demonstrate is that you're evolving your controls and systems to do the best job you can. It took many iterations for PCI-DSS to get to its current state where the 300-odd requirements are weighted in order of importance, and an AoC can still be issued based on an overall rather than specific view.
In practical terms I think you would need to demonstrate that you have policies, procedures, and restrictions in place to discourage employees from using non-approved products. This might be, for example, an MDM policy, an authorisation process for allowing a personal device to access your network/data, and getting your user to read and agree to a policy describing their permitted and non-permitted uses of the system.
Its likely that your MDM policy will need to sandbox company data, possibly only allow access to the sandbox via a VPN'd connection, and mandate encryption of the device.
Ultimately, access for any user or device to PII is going to be governed by your Privacy Officer's appetite for risk.