BYOD Security Policy: Protecting Personal Devices at Work

What Is BYOD and Why Does It Need a Security Policy?

BYOD (Bring Your Own Device) describes the practice of employees using personal smartphones, tablets, or laptops to access company email, files, and applications. As an increasingly common component of a business mobiles strategy, BYOD offers flexibility and cost savings — but without proper controls, it introduces significant security and compliance risks that UK businesses cannot afford to ignore.

Many UK businesses adopted BYOD informally. Staff simply connected their personal phones to company email without any formal policy or controls in place. Research suggests that 87% of organisations allow BYOD in some form (industry sources), yet a significant proportion lack the technical enforcement to manage it securely. The problem with unmanaged BYOD is straightforward: corporate data sits on a device the business does not own or control. If that device is lost or stolen, or if the employee leaves — particularly on bad terms — the business has no reliable way to remove corporate data from it.

Under UK GDPR, the business remains the data controller regardless of who owns the device. The organisation is responsible for the security of personal data processed on those handsets, and a failure to implement appropriate technical measures can lead to ICO investigation, enforcement notices, and fines.

How a BYOD Security Policy Works

A robust BYOD policy combines written rules with technical enforcement. Neither element is sufficient on its own — a written policy without technical controls is unenforceable, and technical controls without a clear written policy create confusion and erode employee trust.

The Written Policy

The written element sets out what employees are permitted to do with personal devices in relation to work systems. It should clearly define which applications staff can install to access company data, what minimum security settings are required (PIN, encryption, up-to-date operating system), and what the business can and cannot see or do on their personal device. Transparency is essential — employees are far more likely to cooperate with a BYOD programme if they understand exactly what the employer can access and what remains private.

A well-drafted BYOD policy should also address acceptable use, data ownership, the process for reporting a lost or stolen device, and what happens to company data when the employee leaves the organisation. Each of these areas has GDPR implications, and the policy should be reviewed by someone with data protection knowledge before it is issued to staff.

Technical Enforcement

The technical enforcement element typically involves Mobile Device Management (MDM) software — such as Microsoft Intune — deployed on personal devices. MDM can create a separate, managed work profile that contains company apps and data, isolated from the rest of the device. The employer can push security settings to the work profile and remotely wipe only the work container if needed, leaving personal data completely untouched.

For organisations that want a lighter touch, Mobile Application Management (MAM) policies can be applied to specific business applications without enrolling the device in full MDM. MAM controls what happens to data within managed apps — preventing copying of data from Outlook to a personal notes app, for example — without requiring any control over the device itself. This approach suits organisations where staff are resistant to full MDM enrolment on personal devices.

MDM vs MAM: Choosing the Right Approach

The choice between MDM and MAM for BYOD devices depends on the sensitivity of the data being accessed and the level of control the business requires:

• Full MDM enrolment with work profile: Provides the highest level of control. The business can enforce encryption, PIN requirements, OS version minimums, and app installation restrictions on the work profile. A selective wipe removes all company data when needed. This is appropriate for businesses handling sensitive client data, financial information, or regulated data.
• MAM-only (app-level policies): Controls are applied to specific business applications rather than the device. Suitable for organisations where staff only access email and Teams on personal devices, and where the data involved is lower-sensitivity. MAM cannot enforce device-level settings such as encryption or PIN requirements.
• Containerisation: A middle ground where a secure container app is installed on the personal device, and all business data and applications run within that container. The container is encrypted and can be wiped independently of the device. This approach provides strong data separation without requiring full device management.

AMVIA advises clients on the appropriate approach based on the types of data their staff access on personal devices and the level of risk the organisation is willing to accept.

Why UK Businesses Need a BYOD Policy

According to the DSIT Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cyber breach in the past year. Mobile devices — particularly those without enforced encryption or PIN requirements — are a common attack vector. A lost device with access to company email or cloud files can expose sensitive business and client data, potentially triggering a reportable breach under UK GDPR.

With 28% of UK employees now working in a hybrid pattern (ONS 2025), the use of personal devices for work has accelerated. Staff check email on personal phones during commutes, access Teams on personal tablets at home, and use personal laptops when working remotely. Each of these interactions creates a potential exposure point if the device is not properly secured.

GDPR requires organisations to implement appropriate technical and organisational measures to protect personal data. Using personal devices to process company data without any policy or controls in place is unlikely to satisfy this requirement. The ICO has issued fines and enforcement notices relating to inadequate mobile device security. For businesses handling sensitive client information — financial data, health records, legal documents — the risk is particularly acute.

Mobile malware attacks increased 50% year-on-year (industry sources), and personal devices are disproportionately affected because they are less likely to have enterprise-grade security software installed. A BYOD policy that mandates security controls on personal devices directly addresses this growing threat.

BYOD and UK GDPR Compliance

UK GDPR compliance is one of the strongest drivers for implementing a formal BYOD policy. Several specific GDPR requirements are directly relevant:

• Data protection by design and default (Article 25): Businesses must build data protection into their processes. Allowing staff to access personal data on unmanaged devices without security controls does not meet this requirement.
• Security of processing (Article 32): Appropriate technical and organisational measures must be implemented. Encryption, access controls, and the ability to remotely remove data from devices are all relevant measures.
• Data breach notification (Articles 33-34): If a device containing personal data is lost and the data is unencrypted or accessible, this may constitute a reportable breach. The business must notify the ICO within 72 hours and, in some cases, the affected individuals.
• Employee privacy: BYOD policies must respect employees' right to privacy on their personal devices. Full MDM enrolment must be transparent about what the employer can and cannot see, and selective wipe — not full device wipe — must be used for personal devices.

A properly implemented BYOD policy, backed by MDM or MAM technical controls, helps the organisation demonstrate compliance with each of these requirements. The policy itself, together with records of device enrolment and compliance status, forms part of the accountability evidence the ICO would expect to see in the event of an investigation.

Key Considerations for UK SMEs

• Data separation is non-negotiable: Use MDM to create a managed work profile — employees have a right to privacy on their personal devices, and the policy must reflect this clearly. Personal content must remain invisible to the employer.
• Remote wipe scope must be defined: The policy should specify that only company data can be wiped remotely — not personal photos, contacts, or apps. Using selective wipe rather than full device wipe builds trust with employees.
• Minimum device requirements matter: Set clear rules on OS version, encryption, and lock screen settings. Devices not meeting the baseline should not be permitted access to company data under any circumstances.
• Leavers process is critical: The BYOD policy must define what happens when an employee leaves — immediate removal of access and remote wipe of the work profile should be standard. This should be integrated with your HR offboarding process.
• Staff must consent in writing: Employees should sign an acknowledgement confirming they understand and accept the BYOD policy terms before their device is enrolled. This consent should be informed — staff should know what will be installed, what the employer can see, and what will happen if they leave.
• Review the policy annually: BYOD risks evolve as technology changes. An annual review of the written policy and technical controls ensures your approach remains appropriate and aligned with current threats and regulatory expectations.

How AMVIA Can Help

AMVIA helps UK businesses implement BYOD policies backed by Microsoft Intune MDM, including work profile setup, security baseline configuration, and remote wipe capability. As part of a managed IT service, AMVIA handles ongoing device enrolment, policy enforcement, and leavers processes — removing the administrative burden from your internal team.

AMVIA also advises on the right balance between MDM and MAM for your organisation, considering the sensitivity of your data, the attitudes of your staff, and your cybersecurity obligations. Whether you need full MDM enrolment with work profiles or a lighter MAM-only approach, AMVIA provides the technical implementation and ongoing management to keep personal devices secure without creating friction for your team. Call 0333 733 8050 to discuss your requirements.