Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

BYOD policies: is your organisation compliant with the ICO's new guidance?

21 Mar 2013 United Kingdom 7 min read

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

With an increasingly mobile workforce using tablets such as iPads, smartphones and personal laptops,the practice of bring your own device ("BYOD") is already a fact of life for many businesses. The UK Information Commissioner has issued its first specific guidance to help organisations minimise the heightened data security risks this poses. In house legal teams should work with their IT and HR colleagues to ensure their organisation's policy is compliant and that risk is being appropriately managed.

The ICO's guidance - what's new?

The Information Commissioner's Office ("ICO") recently issued its first piece of specific guidance on 'bring your own device' ("BYOD") - the practice of staff using their own tablets, smartphones and laptops for work purposes. A survey commissioned to accompany the guidance revealed that while 47% of the UK workforce use personal devices for work, fewer than one in three such users has received guidance from their employers.

Your business should ensure that you have a policy surrounding BYOD, and if you do already, that it is compliant with the ICO guidance. The BYOD guidance largely concerns IT risk governance so your operations colleagues will need to be aware of it to ensure that your organisation benefits from BYOD working and keeps the organisation's policies as upgraded as your devices.

What's the legal status of this guidance, what are the risks of ignoring it??

As with all the ICO's guidance, the new document does not have the force of law. However, it does in effect provide a benchmark against which an organisation's compliance with The Data Protection Act 1998 ("DPA") would be evaluated - both by the ICO (in the event of enforcement action) and by the courts. In other words, if an organisation suffered data security breach stemming from BYOD, and had not implemented the guidance, it would have an uphill struggle to demonstrate that it was DPA compliant.

The Seventh Principle of the DPA provides that:

'Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.'

The guidance spells out in more detail how this very broad requirement can be met in the specific context of BYOD.

To focus the mind of the IT Director, it is worth remembering that the ICO now has the power to impose fines of up to £500,000 for serious breaches of the data protection principles (see previous Olswang articles regarding fines in 2012 and 2009) and fines could rise to up to 2% of global turnover if the proposed EU reforms come into force.

What are the risks of BYOD?

Security breach remains a hot topic, and data security measures are at the heart of the new guidance. However, the guidance also addresses compliance with the Data Protection principles more widely.

The risk of BYOD begins with the disparity that the device containing data belongs to the user (or processor), rather than the data controller, but it remains the data controller's responsibility to ensure that processing of personal data under their control remains DPA compliant. The main risk originates from the lack of control that the data controller has over the employee's personal device. However, in the event of a security breach, it will be the data controller's responsibility to demonstrate that they have secured, controlled and deleted all personal data on a particular device.

What practical steps should I take?

The user friendly 13 page guidance document sets out a number of issues to consider and practical top tips to implement. Your organisation should consider: the type of data held, where data is stored, how it is transferred, potential for data leakage, blurring of personal and business use, the security settings on the device, what to do if people leave the organisation's employment, and how to deal with loss, theft and failure of devices. Here's a non exhaustive selection of the ICO's tips:

Audit

  • As with all data protection compliance, an audit of what personal data the organisation is processing, how and why is the essential starting point. Audit the devices used, who owns them - and whether it's appropriate for personal data held by the business to be accessed on private devices;

Policy and governance

  • ensure there is a BYOD Acceptable Use Policy on data use that is adhered to, understood and imparts accountability to all employees;
  • make it clear what data can and cannot be stored on personal devices;
  • ensure the policy is monitored on an on-going basis;

Where is the personal data stored?

The location where the data stored (on the device, on the organisation's own servers or private cloud, or public cloud etc) is a fundamental consideration; the guidance sets out a number of specific security related recommendations relating to: passwords; encryption; locking and remote deletion.

  • create a private cloud / wi-fi network for employees using BYOD and choose a service provider with high security credentials;
  • ensure that sensitive personal data is only stored on specific devices and is kept encrypted. Inform employees if this data is not to be used on a personal device;
  • ring-fence data within certain apps that have strong security credentials and verify these features;

How is the personal data transferred?

  • data 'in transit' between endpoints should be secure and protected from interception by use of encryption. The encryption algorithm should meet recognised industry standards;
  • consider final endpoints - disable bluetooth and printer use with devices and ensure that devices which automatically back up data do not lead to an inappropriate disclosure of personal data;

Control, deletion and protection of data

  • control data access by restricting it to the employee and not unwarranted persons or family using the personal device by using passwords, PINs and encryption;
  • avoid unauthorised access to log-in sites or the cloud with automatic time-out on the sessions;
  • pre-register devices with Mobile Device Management to deploy remote deletion of data in the event that a device is lost, stolen or damaged;
  • consider how to manage employees who may "root" or "jailbreak" devices which may have removed default security controls;
  • ask employees to delete data on devices regularly to avoid retaining data for unnecessary lengths of time, and to delete data when devices are sold or transferred to third parties;

Employment risks - monitoring at work

  • consider the guidance in the ICO's Employment Practices Code to keep in mind the user of the device and their family who may also use it and their legitimate right to privacy;
  • consider registering devices for tracking purposes to locate data, but inform users of this, and ensure it is justified by a real benefit and does not unnecessarily infringe on privacy; and

Subject access and data requests

  • remember the spread of data (through accidental or unintentional leaks) may mean that responding to access requests is difficult and retaining control from the outset is beneficial.

BYOD - take a joined up legal approach!

BYOD is here to stay, and has great potential for flexibility, productivity and morale. There's no good legal reason not to implement BYOD - provided the increased legal risks can be appropriately managed. In house lawyers need to work with their IT and HR counterparts to implement a BYOD policy and ensure it is communicated effectively to staff - and followed in practice.

For more information please contact Olswang Partner Ross McKean, Ross.McKean@olswang.com

For further commentary on BYOD, please see Olswang Partner Rob Bratby's blog piece on BYOD.

Any information contained in this update is intended as a general review of the subjects featured and detailed specialist advice should always be taken before taking or refraining from taking any action. If you would like to discuss any of the issues raised in this update, please get in touch with your usual Olswang contact.

More insights
Public Procurement Employment, Labour & Pensions Data Protection & Freedom of Information Scotland

Explore more

Publication United Kingdom

Procurement Cube

09 Feb 2026 5 min read
Event United Kingdom

IP Insights webinar series 2026

28 Apr 2026
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.