UK laxity on BYOD raises data loss risk, says ICO

YouGov survey reveals many UK employers are not providing guidance on the usage of own devices at work, putting personal information at risk

A YouGov survey has revealed that many UK employers are failing to provide guidance on the usage of personal devices at work – potentially putting personal information at risk.

Nearly half of UK adults take part in bring-your-own-device (BYOD) programmes, yet under a third have been given any guidance on doing so, according to a survey commissioned by the Information Commissioner’s Office (ICO).

The survey shows that email is the most common work activity carried out on a personal device, accounting for 55% of people who use their personal smartphone, laptop or tablet computer for work purposes.

This was followed by 37% who used a personal device to edit work documents and 36% to store work documents. All of these activities are likely to involve the processing of personal information.


This raises concerns that people may not understand how to look after the personal information accessed and stored on these devices, the ICO said.

The ICO released the survey findings alongside guidance explaining some of the risks organisations must consider when allowing personal devices to be used to process work-related personal information.

The guidance explains how BYOD can be adopted safely and in a manner that complies with the Data Protection Act.

“The rise of smartphones and tablet devices means that many of the common daily tasks we would have previously carried out on the office computer can now be worked on remotely,” said Simon Rice, the ICO’s group manager of technology.

“While these changes offer significant benefits to organisations, employers must have adequate controls in place to make sure this information is kept secure,” he said.  

Rice said the cost of introducing appropriate controls range from relatively modest to quite significant, depending on the type of processing being considered.


  • Be clear with staff about which types of personal data may be processed on personal devices and which may not;
  • Use a strong password to secure your devices;
  • Enable encryption to store data on the device securely;
  • Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times;
  • Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all;
  • Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft

The cost might even be greater than the initial savings expected, he said, but the sum would certainly “pale into insignificance” compared with the reputational damage caused by a serious data breach.

“This is why organisations must act now,” said Rice.  

 The ICO’s guidance aims to help organisations develop their own policies by highlighting the issues they must consider.

These include knowing where personal data is stored at any given time, having measures in place to keep the information accurate and up-to-date, and ensuring that the device can be wiped remotely if lost or stolen.

The guidance also explains how organisations need to be clear on the types of personal data that can be processed on personal devices.

Read more on Privacy and data protection