Introduction to this document

Bring your own device policy

With the rise of the bring your own device (BYOD) culture, use our BYOD policy to set your rules on employees using their own personal mobile devices to access your IT systems for work purposes. Be particularly alive to security, confidentiality and data protection concerns here.

Issues

BYOD is where employees use their own personal mobile devices to access your corporate network and systems for business purposes. However, the three main issues with BYOD are protecting your confidential information, ensuring the security of your network and systems and complying with data protection requirements. The difficulty with BYOD is that the device is owned by the user employee rather than by you (so you have significantly less control over it than you would have over company-owned equipment), and yet it's still crucial that you ensure you're protecting your confidential information and network security and that all processing of personal data which is under your control remains in compliance with the UK GDPR and the Data Protection Act 2018. As far as data protection is concerned, you must still have appropriate technical and organisational security measures in place to prevent the personal data you hold from being accidentally lost, destroyed or damaged or from being unlawfully accessed, regardless of the ownership of the device used to carry out the processing. Security is therefore a primary concern - so consider which types of personal data can be processed on a personal device and which must always be held in a more restrictive environment.

BYOD policy

This is where our Bring Your Own Device Policy comes in. Employees need to understand their responsibilities when connecting their own devices to your IT systems and at the same time you need to set out your ability to audit and monitor compliance. Our policy sets out its scope and purpose, covers the process of connecting devices to your IT systems, contains detailed provisions for device monitoring (including the nature, extent and purposes of monitoring) and specifies your security requirements (including in relation to loss or theft and when an employee leaves employment or wants to sell the device, etc.). You can add to or amend the provisions as appropriate to suit your particular requirements and the specific risks you wish to address. 

Monitoring

A device will naturally also contain the employee's personal stuff. Ensure insofar as possible that you're only accessing and monitoring content and apps that have been created or are being used for business purposes so as to avoid infringing the employee’s right to privacy. The same applies when it comes to the deletion or wiping of corporate data - don't wipe the employee's personal matters although, of course, this could still happen inadvertently.