Blog post

Blurred Lines

By Heidi Wachs | August 21, 2013 | 5 Comments

Blurred Lines is not only one of this summer’s breakout songs (and the subject of a copyright lawsuit), but is also the theme when it comes to the commingling of enterprise and personal data on mobile devices. 

My current research explores the technical controls that can be successfully deployed to balance enterprise information protection needs with employee personal privacy expectations on mobile devices, as well as best practices for Corporate-Owned Personally Enabled (COPE) and Bring Your Own Device (BYOD) programs.  Interestingly, as I get deeper and deeper into the research I’m finding that many of my assumptions were just plain wrong:

  • Companies are not using solely one approach or the other, many seem to have a hybrid COPE/BYOD environment
  • Many organizations do not have mature, developed programs rolled out but rather are still in the preliminary planning/test phases

But that’s good, because that’s the whole point of doing thorough research.  I’m learning a lot about this area including, perhaps most importantly, that technology as a whole is just at the tip of the COPE/BYOD iceberg.  And not just in the US, but across the globe.  To complicate the subject further, both the devices and the available apps and software are constantly evolving.  Talk about a moving target.

And that’s just from the technical perspective.  There are big privacy issues to be addressed here too.  How has your organization grappled with:

  • What happens when employees install apps with personal information or use corporate-provided file-syncing resources to store personal photos and documents on a COPE device? 
  • What if an employee opts in to a BYOD program only for both parties to learn after the fact that her geolocation data is now available to her employer?
  • Should organizations develop secondary privacy policies governing the data being collected through their BYOD programs in addition to their external facing privacy policies? 

There are many more questions than answers, but if your organization is discussing, or has resolved, any of these issues, I’d love to hear about it! For now, back to the research. Keep an eye out for the final product sometime this fall!

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • craig vachon says:

    Please check out AnchorFree’s BYOD offering. Working with the enterprise VPN solution providers, AF uses a smart switch [App or client] to route all traffic that is not enterprise to a safe/encrypted/private network [with data compression]. Check us out. Thanks

  • Mark O'Neill says:

    >Should organizations develop secondary privacy policies governing
    >the data being collected through their BYOD programs in addition to
    >their external facing privacy policies?

    I suggest taking a step back here. Rather than developing policies about dealing with data on the device, choose an app architecture where data is pulled down as-needed via an API, and not stored on the device. This has a trade-off that the data is not available when the device is offline (e.g. on a plane). But it can increasingly be assumed that devices are “Always On” a data network.

    In this architecture, if the device is lost or stolen, the data is not present on the device. Instead, the API access can be switched off for that device, if it is reported lost or stolen. This renders the app unusable. It also allows you to gauge access based on where the device connecting from (e.g. from a home network, or a foreign country), which is not something easily done if the data is already on the device.

    I think that people often focus on something “on the device” to provide privacy, rather than managing the private and sensitive data at the source.

    Full Disclosure: I work for a company (Axway) which provides an API Management product that addresses this scenario.

    • Heidi Wachs says:

      Mark – thank you for your response because it made me understand that I need to clarify. My question was in regards to whether an employee-facing privacy policy was necessary to provide notification and govern the employee’s personal data in terms of how the company will collect/use/destroy it. There seems to be a wide range of practices in this area in both COPE and BYOD programs including everything from monitoring a list of apps that the employee puts on the device, to the ability to monitor their location information.

  • @Heidi – hopefully you get more of the responses, I just dropped your link on my twitter feed and it was even RT’d a few times.