BYOD – a practice to be encouraged or restricted?

Article Index

Apple recently posted the biggest quarterly profit ever made by a public company; a clear sign that the proliferation in use of mobile technology is not showing any sign of abating. With more employees owning sophisticated tablets and smartphones than ever before, businesses that perhaps once thought the Bring Your Own Device (BYOD) phenomena may go away are facing increasing requests from employees to allow them to use their personal devices for work purposes.


On the face of this, surely BYOD is something to be encouraged? Allowing employees to access their business e-mail account, contacts and documents outside of the office, means they can work remotely at any time of day. The parameters of the working day are stretched, which must in turn lead to increased levels of productivity. BYOD can also mean cost savings for organisations, if it is the employee (rather than the employer) that is purchasing the device he or she uses for staying in contact with work outside of core working hours. Whilst potential increased productivity and cost savings are enough for some businesses to embrace BYOD, others have also seen the practice as a useful tool to enhance employee wellbeing and thereby improve staff retention rates, especially among Millennials.


If the BYOD debate is so clearly one-sided, why are not all businesses jumping on the BYOD bandwagon? The answer lies in the fact that the potential benefits go hand in hand with increased security, data protection and managerial issues for employers.

Let’s take an obvious example. What happens if an employee leaves their mobile phone on a train on their way back from work? Clearly, losing a phone is no more likely to happen if an employee uses his phone for business and personal purposes rather than just personal use. However, the consequences of losing work, business contacts and other confidential data are so much greater if the device is used for business use. Or, what if an employee’s child accidentally uses its parent’s tablet to e-mail a key potential client? Are the consequences of this just embarrassing or could they genuinely jeopardise the business?

What employers simply must remember is that, where BYOD is in play, they are data controllers under the Data Protection Act 1998 (DPA) and as such, they have a duty to ensure compliance with the DPA in respect of data that is processed. Specifically, the seventh data protection principle requires that ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’. The employer’s obligations apply irrespective of who owns the device upon which the data is stored and it is all too obvious to see that the employer’s responsibilities become more difficult where the employer is not the owner of the device. The Information Commissioner has published specific advice on BYOD.

Proceed - but with caution

The view amongst many organisations is that having balanced the potential benefits against the perceived risks of BYOD, it is an approach to be embraced, provided that it is managed in an effective way. Helpfully, at the end of 2014 the Centre for the Protection of National Infrastructure (CESG) published guidance for organisations that are both considering and already operating a BYOD approach. See also the Working Paper on Privacy and Security Risks with the Use of ‘Own Devices’ in Corporate Networks from the International Working Group on Data Protection in Telecommunications.

In light of the above and based on my experience of dealing with BYOD issues, the key issues that employers should consider in connection with BYOD are as follows:

  • Create an effective BYOD policy. Such policies are not new and whilst I certainly recommend that organisations have one, any policy will only be effective to the extent that it appropriate for the organisation and backed up with appropriate training, policing and technical support. The HR and IT departments should collaborate on a BYOD policy which also ties in with the organisation’s IT, data protection, disciplinary and possibly social media policies. [See Policies and Documents for a specimen policy.]
  • Training. Employees must understand their obligations when accessing company data from their own devices, for example:
    • What additional measures are they expected to take to ensure the confidentiality of the data? 
    • What should they do if they suspect a security breach?
    • What constitutes misuse of devices and importantly what is the sanction if they breach any applicable policy?
  • Policing. As with all policies and procedures, on-going monitoring of the effectiveness of a BYOD approach will be critical.
  • Technical support. Employers should anticipate that employees may require greater IT support initially in respect of matters that arise when using their own devices. Compatibility issues of platforms and devices will need to be considered and thought given (amongst other things) to determining how the employees’ devices will obtain all the necessary updates they require.

The potential benefits of BYOD for employers and employees alike are very clear, however, the practice should not be adopted without consideration of the risks. 


Add comment

Security code

Forgotten your password?

I'd like to subscribe
Subscribers only - te law will answer your employment law queries. Find out more about our email support

Now there's more ways to stay in touch

Join Us on Linked in Become our Fan on Facebook Follow us on Twitter