BYOD: When people bring their own phones and laptops to work

Businesswoman with smartphone close up
You’ve probably seen it: employees working from their personal phones, checking emails on a tablet, or installing apps on their own laptops. On the surface, it seems convenient. But it also means that company data, apps, and access are on devices the company doesn’t manage. And that’s a problem – unless you have clear rules in place.

Co je to BYOD

BYOD or Bring Your Own Device means employees use their personal devices – laptops, phones, tablets – for work. It often looks something like this:

  • Work emails on a personal phone.
  • Accessing company systems from a personal laptop.
  • Company documents “temporarily” stored on personal Google Drive.
  • Apps like WhatsApp or TikTok running on the same device used to access CRM or HR systems.

From a cybersecurity and privacy perspective, this is a minefield.

Why BYOD is risky

The company loses control

You don’t know what’s happening with your data, who can access it, or where it might be stored. It could be harmless – someone downloads a file from a meeting to read later. But what if it ends up on a personal cloud or an unsecured device?

Devices may be unsecured

Many people don’t even use a basic password on their phone, skip updates, and don’t use encryption. If such a device is lost or infected with malware, company data becomes exposed.

Mixing personal and work content

One device for personal photos, social media, and internal systems access? One mistake – like accidentally sending a sensitive file through a personal account – and you’ve got a real mess on your hands.

GDPR risk

A lost phone with access to emails or systems containing client data? The company is still responsible, even if the device isn’t company owned. And explaining that to the Data Protection Authority is no fun.

What can you do?

Banning BYOD outright rarely makes sense – in some companies it’s simply not feasible. But it can be set up in a way that minimizes legal and security risks.

1. Create a BYOD policy

Without clear rules, BYOD turns into chaos. Ideally, your policy should be written down and approved by employees – e.g., as an appendix to the employment contract. It should answer:

  • Who can use their own devices and for what?
  • What are the minimum-security requirements (passwords, encryption, biometrics)?
  • Which apps and services are allowed or forbidden?
  • What happens if the device is lost? Does the company have the right to remotely wipe data?

2. Separate work and personal use

Even on a tight budget, there are options:

  • Mobile Device Management (MDM) – lets you manage the work portion of the device, enforce security settings, or wipe data remotely
  • Separate apps – for instance, Outlook for business can separate a work account from a personal one. Same with Teams or some CRM tools.
  • Access controls – for example, only allowing CRM access from devices that meet specific security criteria.

3. Don’t ignore the non-technical side

Technology alone won’t fix everything. People and legal considerations matter too:

  • Educate employees – most issues come from ignorance, not malice. A quick training on what's risky can save you big headaches.
  • Limit permitted devices or apps – BYOD doesn’t need to be a free-for-all. Define specific platforms or tools.
  • Get the legal side covered – make sure it’s clearly stated that the company can manage or wipe work data even on personal devices.

It’s not just about cybersecurity

BYOD also raises legal questions—especially under GDPR. An employee working with personal data on an unsecured device, can unknowingly put your company at risk.

Data subjects have the right to have their personal data processed securely—even if it ends up on a private phone. If you don’t address this, you’re exposing yourself to unnecessary risk.

  • A lost phone with email or cloud access = potential data breach. 
  • CRM or HR data shouldn’t sit unencrypted on a personal device. 
  • Data subjects have the right to secure processing. Even on personal devices. 

Do you know where you stand?

Test yourself. If you answer “I don’t know”, it’s time to revisit your BYOD setup:

  • Do you know who uses personal devices for work? 
  • Do you have clear rules about what’s allowed? 
  • Can you remotely delete company data from a lost device? 
  • Are you sure your setup complies with GDPR? 

BYOD can be great – it can save costs and make work easier. But only if it’s set up right. Otherwise, it’s Bring Your Own Disaster.

Want to avoid surprises?

Got rules in place but not sure if they still hold up? Get in touch – we’ll help you figure it out.

More articles

GAP analýza vám pomůže zjistit, jak na tom jste s kybernetickou bezpečností – kde splňujete požadavky, kde vám něco chybí a co s tím dál.
If you provide a regulated service, you need to identify which security tier applies to you — basic or stricter. But how do you determine your tier, and what does it actually mean in practice?
What are regulated services and why does it matter? Identifying them is key to determining whether you will be affected by the new cyber law and under what regime.

Newsletter

Do you want to ensure your company is protected from cyber threats while also complying with applicable legislation? Sign up for our newsletter and receive practical advice from our legal consultants.

By clicking subscribe you consent to the processing of your personal data for marketing purposes.