BYOD is huge potential GDPR risk for employers – here’s what you can do about it.

As the GDPR deadline arrives, experts are warning employers to review their in-house policies on Bring Your Own Device (BYOD) – because getting it wrong has the potential to create risks relating to data protection or breaches, as a result of staff using a single smartphone for both business and personal uses.

survey, conducted by Censuswide on behalf of a Telecoms app provider, found that a quarter (25.3%) of senior managers and almost a third of directors (31.8%) use their personal phone for work purposes, while 37% of middle and senior managers use the same phone for both work and pleasure.   This leapt to 78% when the same question was asked to business owners.


72% of businesses use BYOD – but only 54% have a policy

While 72% of organisations have embraced BYOD and cloud-based software applications, enabling staff to work from home, a recent study found that only 54% of UK employers have formal BYOD policies in place.

Andy Munarriz, founder and CEO of Thumbtel said:

“If your employees elect not to use their company issued mobiles or you have a Bring Your Own device policy in place, it’s time to consider the implications of GDPR on your business.

“With over 14 million people in the UK said to use a second mobile phone for work purposes, many prefer to use one device rather than juggle between two different handsets and chargers and this has the potential to create a big headache for business owners as work and personal communications become intertwined, leaving businesses open to possible data risks or security breaches.”

Further findings in the Censuswide survey identify concerning issues in a data-conscious GDPR climate – more than half of respondents admitted to accidentally answering a work call, believing it to be a personal call.   Only a quarter of respondents had separate phones for work and home.


Five things to consider

Munarriz says employers facilitating BYOD need to consider the following points to protect both staff and data:

“If your employees use their own mobile phone for work, either formally with a BYOD policy in place, or informally without the company’s knowledge, then you need to consider five key questions:

• do you have a clear BYOD policy in place that all employees are aware of?

• Can you make it easy for employees to follow your policy?

• How can staff keep work and personal contacts and communications separate?

•How secure is customer data and communications on their device?

•Finally, can you ensure that you retain, or easily control, customer data if an employee leaves your business?

Munarriz adds:

“These are important questions that company directors should not overlook – particularly with GDPR upon us and the penalties that may come as a result of non-compliance.”

One option companies could consider is having a second line on the user’s BYOD device.   This gives the employer control over both the number and the data, and more importantly, ensures that telephone contacts are retained by the business, not the employee, should the employee leave the business, and there is a clear boundary between home and work.


Brian Stokes, Managing Director of UK-wide Business Telecoms & IT Support provider, ITCS, believes that having clear policies and boundaries in place is essential to mitigate the risks from GDPR.  The company have an in-house GDPR consultancy team and have run a series of workshops for their customers ahead of tomorrow’s deadline.  Brian says:

 “GDPR is making businesses look at data, and that is a good thing. 

“We may offer GDPR Consultancy as part of our comprehensive list of IT and Data services, but we have to comply as much as any other business.  We offer 24 hour support to our larger customers with mission-critical systems and our committed, friendly team of engineers have business mobiles so they can stay in touch with customers. 

“We don’t give out personal mobile numbers under our BYOD policy – although like the 78% of business owners, most of our customers have my personal mobile number – and I wouldn’t have it any other way.  It’s that level of personal service that has grown our business.   


Employers who need support or advice on GDPR compliance can contact ITCS on 08456 444 200.