Go to Top

Should wearables be included in corporate IT policies?


As wearable technologies become increasingly popular, they are attracting the scrutiny of regulators around the world.  In addition to being used for business purposes, wearable devices provided by employers are likely to be utilised by employees for personal applications, such as fitness trackers and contactless payment. 

The number of wearable devices is certainly on the rise. One estimate from ReportsnReports calculates that wearable device shipments will grow at a compound annual growth rate of 29% between 2016 and 2020, and that by 2020, wearable devices will represent a market worth $40 billion with over 240 million annual unit shipments.

Wearable technology is predicted to be big business – but what does it include? As well as the increasingly ubiquitous smart watches and fitness bands, it is predicted to extend into more niche products such as smart clothing, smart glasses and even smart jewellery, with designers including Swarovski and Fossil launching new products in recent times.

Overlap: wearables and company data

The question is whether – and how – the secure use of wearable technologies can be included into corporate IT and privacy policies. Smart devices gather a wide range of sensitive personal data and as these devices are connected to the corporate network, businesses should ensure they provide clear usage policies in respect to wearable devices. Such policies should detail what data will be extracted from such devices, and how the data will be processed, used and stored. 

Where to draw the line

Following the adoption of the EU Privacy Directive (GDPR), ePrivacy rules are next in line for review and the Article 29 Working Party has flagged concerns regarding the type of data that is collectable by wearable devices, the ability to profile users from such data and the security of these devices and the data collected. While the recent referendum changes the UK’s membership of the EU, it is likely that UK organisations will need to conform to the principles of GDPR nevertheless.

Prior to businesses processing data using new technologies, they should now conduct data protection impact assessments. The purpose of conducting these assessments is two-fold: (1) to address the level of risk a company’s data processing poses to an individual’s rights; and (2) to identify what technical and organisational measures are required to manage these risks.

It would be prudent for companies to ensure:

  • data subjects are informed about how their details are being collected and used;
  • organisations only collect information that is relevant, adequate and not excessive;
  • any information that needs to be collected is kept securely and deleted once it is no longer required.

The findings of these impact assessments should form the basis of companies’ usage policy for wearable devices and the policy should be clearly communicated to all employees.

A new risk for exposing sensitive information

As well as considering how data collected on smart devices is managed, organisations should also consider how to protect against data lost from those devices. While smart devices are designed to synchronise with an app rather than store more than a small amount of data themselves, they can nevertheless store up to a week’s worth of GPS tracking information, which could be of interest to a third party.

A second risk introduced by wearables is that any new device paired with a smartphone that accesses the corporate network could potentially introduce malicious code to the system, which could in turn trigger a virus attack.

We’ve increased our connectedness but also our exposure to cyber threats

In a recent survey of 440 technology professionals by IT community Spiceworks, 90% of respondents said that the Internet of Things in general would pose security and privacy issues, with wearables being the top source of security breaches.

Almost six-in-10 (57%) of respondents cited wearables as the most likely source of IoT-related breaches, ahead of video/security cameras (51%), physical security such as locks and gates (49%) and sensors (43%). The reason behind this thinking was that such devices ‘create more entry points into the network’.

What options do businesses have to regulate wearables?

How organisations deal with the risk of data loss via wearables varies from company to company, whether that’s banning them altogether or ‘quarantining’ them on a separate network. It’s likely that the adoption of wearables within organisations will follow a similar trajectory to the ‘bring your own device’ phenomenon, and even direct internet access before that.

Resistance to employees’ use of consumer-type technology is rarely sustainable – and as we are already seeing, there are benefits for employers who provide wearable devices.

Rather than clamp down on wearables, it makes sense to consider how their use could be of benefit to the organisation, how likely employees are to bypass guidelines and just use them anyway, and how the safe and compliant use of wearables can be built into corporate IT usage policies.