Skip to content
LegalVision UK

Three Data Protection Issues Arising From Personal Mobile Use in the Workplace in the UK

By Aamna Mughal
Trainee Solicitor

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn | Share on Reddit

Summary

  • Employers remain responsible under the UK GDPR and Data Protection Act 2018 for securing personal data accessed on employees’ personal mobile devices.
  • A lack of device control, mixing of personal and work data, and employee privacy concerns are the three key data protection risks arising from personal mobile use at work.
  • Businesses can mitigate these risks through clear BYOD policies, mobile device management software, and written procedures for lost or stolen devices.
  • This article is a plain-English guide for business owners in the UK on data protection issues arising from personal mobile phone use in the workplace.
  • LegalVision, a commercial law firm, specialises in advising clients on data protection and privacy compliance.

Tips for Businesses

Implement a written BYOD policy setting clear boundaries for personal device use, deploy mobile device management software to separate work and personal data, and establish procedures for securing or wiping work data when devices are lost or employees leave.

Summarise with:
ChatGPT logo ChatGPT Perplexity logo Perplexity

Open now
On this page

Personal mobile phones in the workplace create real data protection risks for employers. When staff use their own devices to access work emails, files and applications, businesses lose direct control over how that data is stored and secured. This article will outline three key data protection issues arising from using personal mobiles in the workplace, so your company can take practical steps to protect its interests.

1. Lack of Data Control

One data protection law issue arising from using personal mobiles in the workplace is employers’ lack of control over the device.

When your staff use their smartphones for work-related purposes, you have limited control over their device. If they lose their smartphone or it is stolen, your business may struggle to secure the work emails and stored data.

Your business is responsible for securing personal data under data protection legislation (primarily the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018). Therefore, if an employee uses their smartphone to access work-related information, you remain responsible for protecting that data.

Additionally, the GDPR sets out strict requirements for the processing of personal data, which include:

  • processing personal data lawfully and fairly;
  • ensuring that personal information is obtained and stored proportionately and transparently; and
  • putting appropriate security measures in place to protect personal data.

Any failure to comply with GDPR rules can result in hefty financial penalties from the Information Commissioner’s Office (ICO) of up to £17.5m.

To mitigate this risk, your company should have clear written policies outlining the acceptable use of a personal phone in the workplace. In addition, these policies should include guidelines for the security of data stored on smartphones and outline the procedures staff should follow in case of a lost or stolen device.

2. Mixing Personal and Work Data

Another data protection issue arising from using personal mobiles in the workplace is mixing personal and work-related data. When employees use their personal mobiles to access work-related data, it can be difficult to separate it from personal data stored on the device.

Mixing personal and work data can lead to data protection issues. If the device is lost or stolen, it may be challenging to determine which information is personal and which is work-related, making it difficult to assess the scope of any potential breach. When an employee makes a subject access request under the UK GDPR, separating their personal data from work data becomes complicated. Your business may have different retention obligations for work data compared to personal data, making compliance difficult when the two are mixed.

You can mitigate this risk by encouraging staff to keep personal and work-related data separate on their smartphones. Your business can achieve this through mobile device management (MDM) software, which allows employees to create different containers for personal and work-related data on the device.

However, some employees feel that MDM software is intrusive and is a potential invasion of privacy. This means that it is not a one-size-fits-all solution.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.

3. Employee Privacy Issues

Using personal mobiles in the workplace can also raise issues with staff privacy. Companies have a responsibility to respect the privacy of their staff, including the confidentiality of personal data stored on their smartphones.

One issue is that when staff use their personal smartphones to access work-related data, there is a potential overlap whereby your business may access personal data on that device. This could include private emails, text messages and photos unrelated to work.

You can seek to manage this risk through written policies that outline the circumstances under which your company can access personal data on an employee’s smartphone. You should communicate these policies to employees, who should be allowed to consent for personal data access in specific circumstances.

A commonly written policy is a bring-your-own-device (BYOD) policy. A BYOD policy seeks to set boundaries on using personal devices for work purposes. Additionally, it outlines security rules, such as ensuring strong passwords and encryption use.

What Should a BYOD Policy Include?

A BYOD policy should cover several practical areas. At minimum, it should address:

  • which types of work data employees can access on personal devices;
  • minimum security requirements, such as screen locks, encryption and software updates;
  • what happens if the device is lost, stolen or compromised;
  • whether the employer can remotely wipe work data from the device;
  • how work data will be removed when employment ends; and
  • employee responsibilities for reporting security incidents promptly.

Your policy should also explain how your business will handle data subject access requests when work and personal data sit on the same device. Under Article 15 of the UK GDPR, individuals can request copies of their personal data. A clear BYOD policy helps your business respond to these requests without accidentally disclosing third-party information.

You should review your BYOD policy regularly to reflect changes in technology and working practices. Staff should sign an acknowledgement confirming they have read and understood the policy. This creates a clear record that expectations were communicated.

Key Statistics

  1. 58%: UK businesses do not require any security or procurement checks when purchasing new connected devices, heightening data privacy risks under BYOD policies.
  2. 45%: Businesses allow staff to use personal devices (BYOD) for work-related activities, exposing organisations to significant compliance and breach liabilities.
  3. 70%: Employees use personal mobile devices to access company data at least occasionally, increasing the risk of unauthorised data exposure.

Sources

  • Department for Science, Innovation and Technology (April, 2026)
  • Department for Science, Innovation and Technology (April, 2025)
  • National Cyber Security Centre (May, 2025)

Key Takeaways

Using personal smartphones in the workplace is a common practice in the UK. However, this practice raises several data protection issues, including a lack of control over work-related data and a potential invasion of staff privacy. You can address these issues through effective written policies and mobile device management software. Many business owners obtain expert legal advice to ensure that personal data is kept secure and their company fully complies with all relevant data protection requirements.

If you need help ensuring safe personal mobile use in the workplace, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Why does the GDPR not mandate that businesses provide work phones?

The GDPR acknowledges that some businesses lack the funds to provide smartphones to all staff members but may still wish individuals to work on the move.

How common are personal smartphones in the UK?

The vast majority of the working population has a smartphone. Current projections predict that there will be 65 million active smartphone users in the UK by 2025.  

What is mobile device management (MDM) software?

MDM software lets your business remotely manage and secure employees’ devices. It can enforce security policies, separate work and personal data into containers, and remotely wipe work data if a device is lost or stolen.

What should a BYOD policy include?

Your BYOD policy should outline which devices employees can use, security requirements like passwords and encryption, rules for accessing work data, procedures for lost or stolen devices, and steps for removing work data when an employee leaves.

Register for our free webinars

How to Avoid Costly Commercial Lease Mistakes That Kill Margins

Online
Protect your margins from hidden lease costs and restrictive clauses. Register for our free webinar today.
Register Now

Funding Your Startup: Pros and Cons of Venture Capital vs Debt

Online
Register for our free webinar to understand the key differences between venture capital and debt financing for your business.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Learn how to protect your brand on social media, manage influencer risks, and avoid costly IP and compliance pitfalls.
Register Now

A Handshake Is Not Harmless: The Hidden Costs of Verbal Agreements

Online
Learn how verbal agreements create risk for your business and how to avoid the disputes that may arise from them. Register today.
Register Now
See more webinars >

Aamna Mughal

Trainee Solicitor | View profile

Aamna is a trainee solicitor at LegalVision within the Corporate and Commercial team.

Qualifications:  Bachelor of Laws (Hons), Manchester Metropolitan University.

Read all articles by Aamna

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

4 Common Challenges Your Company Will Face With the GDPR in the UK

Are CCTV Systems Safe for My UK Business to Use Under the GDPR?

Are Email Disclaimers Mandatory for UK Businesses Under the GDPR?

Do GDPR Rules Cover My Company’s Telephone Conversations in the UK?

LegalVision is an award-winning business law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards