On 7 March 2013, the UK Information Commissioner’s Office (ICO) issued new guidance for employers on the use of personal devices for business purposes.  The guidance is largely informed by a survey commissioned by the ICO and carried out by the market research firm YouGov.  According to the survey, 47 percent of adults in the UK use personal smart mobile phones, laptops or tablets for work purposes, but less than 30 percent are given guidance on secure use and the risks relating to loss or theft.  However, even when an employee uses a personal device, an employer may still be liable in the UK for the loss of data relating to individuals that the employer is required to protect.

UK companies have in recent years been increasingly amenable to allowing employees to use personal devices for business purposes, a practice known as “bring your own device” to work, or BYOD.   The driving forces behind the trend for BYOD include cost considerations and a rise in flexible working practices.  The ICO guidance reminds employers that their responsibilities as data controllers apply equally in the context of BYOD.  In other words, employers remain liable for any data loss, theft, or damage to personal data that occurs, regardless of whether processing takes place in their secure corporate IT environment or on the personal devices of their employees.  

In light of the inherent security risks, the ICO recommends that companies which permit BYOD carefully consider the types of data held; where data may be stored; how data are transferred; the blurring between personal and business use; the security capabilities of personal devices; what to do if the person who owns the device leaves employment; and how to deal with the loss, theft, failure and support of a device.     

In its guidance, the ICO has proposed a number of practical steps that employers can adopt to mitigate the risks associated with BYOD.  These include:

  • Acceptable Use Policy.  An Acceptable Use Policy should clearly set out employees’ responsibilities, including by specifying the types of data that may be processed on a personal device and the data that can only be processed in a secure IT environment.
  • Social Media Policy.  Employers should consider implementing a Social Media Policy, particularly where the use of social media for corporate purposes is allowed or encouraged.
  • Data security and access control.  The use of strong passwords and encryption is key to effective access control to data (and the device).  Some devices may also offer the ability to restrict access to certain applications and data types based on geographical location or an additional level of authentication.  Devices should lock automatically if inactive or if multiple incorrect passwords are entered.  Where possible, a clear separation between personal data processed on behalf of the data controller and data processed by the device owner for personal purposes should be maintained, for example, by using different applications.
  • Securing data transfers.  Transferring all data through an encrypted channel, such as a VPN, will minimize the risk of interception, but may have privacy implications in respect of information shared during periods of personal use.  Employers should use public cloud-based storage and back-up services with extreme caution.  Any monitoring technology should be deployed only if proportionate to the pursued aims.  
  • Controlling and securing devices.  Employers should consider how to manage personal data on an employee’s personal device on termination of employment.  Devices can be registered with a remote locate and wipe facility to ensure data security and confidentiality.  However, employers should ensure that data collected as part of the remote facility is not used for ongoing monitoring of users or for other unrelated purposes.  The choice of devices should be limited to those the employer has deemed sufficiently secure for the type of personal data processed.  

While monitoring devices may seem a sensible risk mitigation measure, it will have privacy implications and employers should ensure that any monitoring is “proportionate” and justified by real business need and benefits.  As outlined in the ICO’s Employment Practices Code, employees have “legitimate expectations that they can keep their personal lives private” and that they are entitled to some privacy at work.  Therefore, employers should normally conduct an impact assessment and also notify employees in the appropriate company policy before carrying out any monitoring.

Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.