Search

How can we help?

Icon

Use of Personal Devices at Work: Why a Bring Your Own Device Policy is Essential

If you have employees who bring their own devices into the workplace and use said devices to deal with company data, you may want to consider a Bring Your Own Device (“BYOD”) policy. Such a policy essentially covers the use of personal mobile phones and computers in the office or for work purposes.  Using a personal device for work purposes has some advantages but it could also throw up a number of problems for both employers and employees, which is where the BYOD policy comes into play to help protect and safeguard personal data.

Why use own devices?

Nowadays, most people have access to their own personal laptop or smart phone.  Smaller businesses, in particular, may see a benefit in allowing the use of personal devices to save the company from having to purchase devices at their own expense. It allows individuals to use items they are familiar with, as and when convenient to them, although many employees may expect a financial incentive for using their own devices as opposed to company ones.

What security concerns are there?

There are higher security risks with employees using their own devices.  The ICO recommends that company issued devices are used but recognises that where personal devices are used, there is a difference between employees using their own device but accessing company software and employees using their own devices and software – the latter, it says carries the highest risk and should be avoided for all but the smallest organisations with an immediate need to work remotely with no other remote working capability.

Security always has to be a priority as employers have data protection and confidentiality obligations. One of the major risks of using a personal device is the employer’s lack of control. A device could be  misplaced or lost or shared more widely than necessary (for example with family members on shared devices).  The devices may also contain out of date software or inadequate access controls (such as weak passwords).  As the devices would also be for personal use, they could be corrupted as a result of internet browsing or downloads which are unrelated to work.  It may also leave devices more vulnerable to hackers.

The possible consequences also extend post-employment – many organisations require employees to delete or return sensitive or confidential information they may have acquired during employment.  It is much more difficult to ensure this has been done where the device belongs to the individual and not the company.

Security always has to be a priority as employers have data protection and confidentiality obligations.

How can a BYOD policy help?

The ICO guidance highlights that having an effective BYOD policy can minimise the risks associated with using personal devices and the protection of company data. Employers must be able to take measures if needed to protect against unauthorised access and data breaches. A policy can help by providing guidance to employees on what is expected from them including requirements to keep software up to date, to encrypt data and devices, to have automatic locking (for example if the device has been inactive for a period of time) and to use strong passwords.  It should also be clear how employees can report any potential data breach.

It’s also suggested that business and personal use on the devices should be separated, making it easier to manage and monitor.  This can be done via use of different apps. You could also consider the inclusion of a provision to allow sensitive data to be remotely deleted, if necessary, which would reduce the problems associated with lost devices or those belonging to ex-employees.

If you think your organisation would benefit from a BYOD policy, we have an available template on our Employmentbuddy website. If you want further advice or a more personalised policy, our employment and data protection teams would be happy to assist you.

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile

About this article

Read, listen and watch our latest insights

art
  • 18 August 2025
  • Privacy and Data Protection

Top 10 DUAA Compliance Tips for Employers

To support your preparation, we have outlined 10 practical tips to help employers navigate the new requirements and take full advantage of the DUAA’s reforms.

art
  • 12 August 2025
  • Privacy and Data Protection

From WeTransfer to WhatsApp: How Unapproved Tools and “Shadow IT” Could Threaten UK GDPR Compliance

Businesses and self-employed professionals are in a constant pursuit of efficiency and productivity.  There are, as a result, no end of tools and products available to smooth digital workflows. 

Pub
  • 14 July 2025
  • Privacy and Data Protection

From legislation to implementation: The Data (Use and Access) Act 2025

In this podcast, our data protection experts, Melanie Pimenta and Harry Berryman, will explain what the Act means for your organisation and how to ensure compliance with the new regulations.

art
  • 01 July 2025
  • Privacy and Data Protection

Data protection compliance: tricky issues for employers

This article highlights key issues organisations may face when processing personal data and stresses the importance of a proactive approach. It also outlines tailored training packages to support compliance and build internal expertise.

art
  • 20 June 2025
  • Privacy and Data Protection

Data Protection reform receives Royal Assent: What is the Data (Use and Access) Act 2025 (DUAA) and what it means for your business

The UK’s data protection framework is about to undergo its most significant change since the UK GDPR came into force. After months of parliamentary debate, the Data (Use and Access) Act 2025 (‘DUAA’) has successfully received Royal Assent.

Pub
  • 16 June 2025
  • Privacy and Data Protection

WhatsApp in the workplace: Is it legally safe?

In this podcast, Lucy White and Monica Mastropasqua, members of the Data Protection team at Clarkslegal, will address frequently asked questions from clients regarding the use of WhatsApp at work.