Guidance on Bring Your Own Device (BYOD) for Charities

Bring Your Own Device (BYOD) is a widespread term for when a company allows employees to use their own devices  for work purposes. This could include desktops, laptops or mobile devices such as phones and tablets.

During and since the Coronavirus pandemic, many people, both volunteers and employees are not in their workplace, but instead working from home or a combination of work and home. Many people are also having to use their own personal laptop or phone for work purposes.

Although there may be significant financial savings to be had by allowing staff to use personal computers and phones for work, there are also some serious risks to an organisation’s security and privacy.

By allowing remote access to your company by devices that you do not control (non company owned computers and phones), you increase the risk of material being used by someone for purposes you may not authorise or agree. Company information could be copied, modified, transferred to your competitors or just made public.

While a member of staff is working from their own computer, it is possible that a social media app recently downloaded or already active could vacuum up the work contact database, sharing identifiable information of clients which by law would need their consent to pass onto a third party.  This could inadvertently result in a *data protection violation.

Another risk is that the owner of the computer may install Apps from unsavory or insecure sources perhaps not even realizing the risks and this could make your company files vulnerable to attacks from *malware . Failing to update a device can also leave it open to security threats. 

The owner of the computer may leave their device lying around unsecured (after all they are at home). They may allow friends and family to use it. What happens if the device gets lost or stolen?

How do you control the contents and access of a private device if your employee leaves your company? how will you ensure your information is erased? What if your employee sells their device with your company information still accessible?

How are you to know where this device even is?

There are some simple things you can do to take back control and protect your company’s information.

The easiest thing you can do is write and enforce a Bring Your Own Device (BYOD)  policy.

This does not have to be a complicated document, it should address the use of personal devices that connect to organisational networks, whether that be physical or cloud services eg Microsoft 365. In relation to apps, the policy is only concerned with those apps that interact with organisational data and services.

Here are some suggestions that could be included in the policy:

  • The Operating System and apps must be fully supported by the manufacturer and receive security updates.

  • Software based firewalls are activated and configured correctly.

  • Auto Security update should be applied. Where this is not possible security updates must be installed within 14 days.

  • Cyber Essentials password controls are applied to users own devices (BYODs).

  • Users logging in, have a day-to-day account, and this is separate to the administrator account.

  • The device automatically locks when not in use.

  • The device must have an 8 digit or more pin/pass code (Use a *biometric if available as well).

  • Apps should only be installed from the manufactures respective store.

  • Anti-malware software is installed on all laptops and desktops.

  • Unused apps should be uninstalled

  • If lost or stolen, it must be reported to the business promptly.

  • *Rooting or *Jailbreak is not permitted.

  • Provide a list of allowed applications that staff can download on their devices with the purpose of interacting with organisational services and data.

For further risk reduction you could look at:

  • Mobile Device Management software (MDM) allows you to monitor, manage, and secure employees’ mobile devices. This gives you full control but comes at a price!

  • The use of a corporate Virtual Private Network (VPN) could be considered. This will allow users of BYOD to transfer their internet boundary wherever they are to a firewall that is under the control of the company.  (A corporate VPN is a full tunnel, host-to-site or site-to-site VPN that is always-on when accessing organisational services or data. )

  • A remote erase and tracking app could be installed and activated so you can track a lost device, lock access and erase data.

  • Consider *encrypting devices.

So, before allowing private computers and phones to access your company information,  be aware of the hidden costs (subscription, updates, limitations) and risks around your data and make a balanced judgement. If this is a subject you need support with, seek advice from an independent IT security service company.


The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). Strict laws determine how you store people’s contact details and personal information.

Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of types of malware exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, and scareware.

Biometrics are unique identifiers such as fingerprints, face, iris and/or voice, already being used instead of passwords to make human identity authentication a bit more secure.

To encrypt your device means that every time you power your device on, you’ll need either a numeric pin or password to decrypt the device. An encrypted device is far more secure than an unencrypted one. When encrypted, the only way to get into the phone is with the encryption key.

Jailbreaking is the process of removing the limitations put in place by a device’s manufacturer. Jailbreaking is generally performed on Apple iOS devices, such as the iPhone or iPad. Jailbreaking removes the restrictions Apple puts in place, allowing you to install third-party software from outside the app store. Essentially, jailbreaking allows you to use software that Apple doesn’t approve.

Rooting is the process of gaining “root access” to a device. Similar to Jailbreaking, but this is generally performed on Android devices.