Bring Your Own Device (BYOD) template
A bring your own device (BYOD) policy sets the rules for staff using their personal phones, tablets, and laptops for {{org.name}} work — which devices are allowed, the security they must have, what the company can and cannot see or wipe, and what happens when a device is lost or its owner leaves. It draws the line between company data and private life on the same piece of hardware.
BYOD happens whether or not you write it down: the rota checked on a personal phone, the customer email answered from a home laptop. The choice is not whether staff use their own devices but whether the risk is managed — an unmanaged personal device holding work data is one of the commonest ways small businesses lose control of personal data.
This template covers approval and eligible devices, security requirements, working rules, privacy boundaries, loss and leaver procedures, and costs.
Full text, ready to adapt.
Highlighted fields are placeholders — replace them with your organisation's specifics. A starting point, not legal advice.
Bring Your Own Device (BYOD)
Policy · Company Policies
1. Purpose and scope
This policy applies to anyone using a personal device — phone, tablet, or laptop — to access {{org.name}} systems or data, including email, [messaging platform], [rota/CRM system], and work files. Using a personal device for work is optional for staff, and conditional on this policy for the company.
It protects two things at once: company and customer data on devices we do not own, and the private lives of the people who own them.
2. Policy statement
Personal devices may be used for work only with approval, only through [approved apps/access method], and only while the security requirements below are met. {{org.name}} may withdraw access at any time. We will never browse the personal content of your device.
3. Approval and eligible devices
Ask [name/role] before connecting a personal device to any work system. Approvals are recorded in the [BYOD register] with the device type and what it may access. Devices that no longer receive manufacturer security updates are not eligible. Roles handling [sensitive data categories — e.g. health or financial records] are excluded from BYOD and use company devices instead: [list roles].
4. Security requirements
- Protect the device with a PIN, password, or biometric lock that engages automatically.
- Keep the operating system and apps updated — stop using any device that no longer receives security updates.
- Turn on device encryption where it is not already on by default.
- Do not use a jailbroken or rooted device (one with its built-in security removed) for work.
- Install [mobile device management / approved security app] if we require it for your level of access.
5. Working on your own device
- Access work systems only through [approved apps — e.g. the company email app or browser portal]; never forward work email to personal accounts.
- Keep work files in [company cloud system], not in the device's local storage or personal cloud accounts.
- Do not let family members or anyone else use the device while you are signed in to work systems.
- Avoid public Wi-Fi for work, or use [VPN/approved method] when you have no alternative.
- Do not photograph anything containing customer or staff personal data unless a work process specifically requires it.
6. Your privacy — what we can and cannot see
{{org.name}} can see and manage the work side only: [describe — work accounts, the contents of approved work apps, access logs]. We cannot and will not look at your personal photos, messages, browsing history, or location.
If we use remote wipe, it is limited to work data and work apps wherever the technology allows. A full-device wipe is a last resort for a lost device that cannot be selectively wiped, and we will tell you before triggering one unless delay would materially increase the risk.
7. Lost devices, incidents and leavers
- 1Report a lost or stolen device with work access to [name/role] immediately, at any hour.
- 2[Name/role] revokes the device's access to work systems and triggers remote wipe of work data where enabled.
- 3If personal data may be exposed, follow the data breach response procedure — the 72-hour ICO clock runs from awareness.
- 4When you leave {{org.name}} or stop using BYOD, work accounts and data are removed from your device on or before your last day, and you confirm in writing that none remains.
8. Costs, support, records and review
[State your position: {{org.name}} contributes [amount] per month for approved regular users / work calls and data are reimbursed through the expenses policy / no contribution is made for optional BYOD.] IT support covers the work apps and connections only — we do not repair or maintain the device itself.
The BYOD register, approvals, and signed acknowledgments are kept in [system/location]. This policy is reviewed [frequency] and whenever the systems staff can access change. Owner: [name/role]. Next review: [date].
How to adapt this template.
Decide first which systems personal devices may reach — the narrower the access, the simpler everything else becomes.
Test your remote-wipe capability on a spare device before you rely on it in the lost-device procedure.
Write the privacy section with whoever runs your IT, and describe only what your tools actually do — accuracy in both directions.
Choose your costs position and put it in writing; unspoken expectations about personal data allowances breed resentment.
Get a signed acknowledgment before enabling access, not after.
Add the device step to your leaver checklist so it happens on the last day, every time.
Turn this template into trained, proven behaviour
A policy in a drawer proves nothing. In TrainedTeam this template becomes assigned training with knowledge checks, e-signature acknowledgments, version history, and an audit-ready record of who completed what, when.
Bring Your Own Device (BYOD) template FAQs
Is BYOD allowed under UK GDPR?
Yes — nothing in UK GDPR bans personal devices. The law requires appropriate protection for personal data wherever it is processed, which is exactly what a BYOD policy provides: security requirements, limited access, and a plan for loss and leavers. Unmanaged BYOD, by contrast, is very hard to defend after a breach.
Can we remotely wipe an employee's personal phone?
Only on the basis agreed in this policy, and limited to work data and apps wherever your tools allow. A full-device wipe destroys personal photos and messages, so reserve it for genuine last resorts and make sure staff agreed to the possibility in writing before access was enabled.
Who pays when staff use their own devices for work?
UK law sets no general BYOD allowance, so it is a policy choice: some employers pay a monthly contribution, some reimburse work calls and data, some pay nothing where BYOD is optional. What matters is stating the position in writing before people opt in.
What happens to work data when someone leaves?
Work accounts are removed from the device on or before the last day, remote wipe of work data is triggered where enabled, and the leaver confirms in writing that none remains. Build this into your exit procedure — it is the step most often missed, and an ex-employee's phone is the copy of your data you cannot see.
Is a lost personal phone with work email a reportable data breach?
It depends what the device could access and how well it was protected. A locked, encrypted phone whose access was revoked within minutes may present little risk; an unlocked device with open access to customer records is a different matter. Assess it under your data breach response procedure — if notifiable, the ICO must be told within 72 hours of awareness.
Related templates
IT & Acceptable Use Policy
Free IT and acceptable use policy template for UK teams: security rules, email and internet use, monitoring, and incident reporting. Ready to edit.
Data Protection Policy
Free UK GDPR data protection policy template: the principles in practice, staff handling rules, responsibilities, rights requests, and breach routing.
Remote & Hybrid Working
Free remote and hybrid working policy template (UK): eligibility, availability rules, home workstation safety, data security, and equipment.
Disciplinary Policy & Procedure
Free disciplinary policy template for UK employers, built on the ACAS Code: investigation, hearings, warnings, appeals, and record-keeping. Ready to edit.