Supporting Your Business Success
through HR Excellence

Bring Your Own Device
Bring Your Own Device

Protecting Business Data held on
Employee-owned Devices

Protecting Business Data held on Employee-owned Devices

We wrote recently about the ownership of business contacts which are held in an employee’s personal social media account but actually there is a bigger threat to the control of business information.

A survey has been released by Ovum stating that 67% of employees who own a smartphone and 69% of employees who own a tablet use them for work purposes.  This has made us think about the business implications of these practices.

It could appear that this is an IT issue but, for us, any area that needs to be covered by policy is an HR issue!


There are obviously benefits to both employers and employees when employees use their own devices for work purposes.  From the employer’s perspective, they can see increased productivity and save money by not having to provide staff with phones or tablets.  From the employee’s perspective, they don’t need to carry two different phones around with them and can reduce their expenditure by charging the phone costs back to the company.

Lost or stolen data

The biggest downside to employees using their personal devices for work purposes is that the company loses all control over how information is stored and protected.

Phones and tablets are easily lost and stolen and the company would have no idea what information was on the device.  The employee may actually choose not to tell the employer that the device was stolen/lost and therefore the company may be blissfully unaware that confidential information was in the hands of who knows who.

Data protection issues

Under the Data Protection Act 1998 (DPA), an employer has key responsibilities when it comes to managing and protecting data.

If a mobile device held personal data relating to staff or clients and the device were to be lost, then the employer would have a responsibility to report the breach to the Information Commissioners Office (ICO) and demonstrate that it had secured, controlled or deleted all personal data that was on the device.

In addition, many mobile phones back-up to the cloud which can also prevent a challenge.  Data controllers have a responsibility to ensure that all data is kept within the European Economic Area so if the cloud service used was US-based then this may breach this requirement.

Options to prevent problems

You could simply take the position that you don’t want your business data to be stored on personal devices and therefore tell people that they can’t use personal devices for business purposes.  If this is the route that’s best for your business, you’ll need to be able to provide business owned devices if there is a need for your staff to be contactable for work purposes when they are outside of the office.

If you choose to allow employees to use personal devices for work purposes then, as with so many business practices, the first step to protecting your business is to ensure that you have a clear policy in place.

Bring-your-own-device policy requirements

The policy needs to set out the requirements on individuals in relation to using their personal devices for work purposes.

Some things that you should consider are:

  • Registration – do you want staff to register that they are using their phone for work purposes?
  • Lost or stolen procedure – what should staff do should the device be lost or stolen?
  • Data Management – what will you be doing to ensure that your data is managed appropriately?
  • End of employment – how will you ensure that all data is removed from personal devices at the end of employment?

The ICO has recently issued guidelines regarding bring your device schemes and we recommend that you take a look at this.

If you’d like any support in implementing a bring your own device scheme then feel free to give us a call on 0203 319 1649 or use our contact form to drop us an email and one of our advisers will be in touch.