Dangers of allowing employees to use personal devices & Personal mobiles for business use

Are you putting your business at risk by allowing employees to use personal devices & personal mobiles for business use?

How this really plays out in a small business

Most SMEs don’t wake up one day and decide, “We will officially adopt a BYOD (bring your own device) strategy.” It creeps in over time.

Someone adds customer mobile numbers straight into their personal address book so they can “ring them on the road”. A manager who’s trying to fix a rota problem sets up a WhatsApp group using personal numbers. A member of staff forwards a spreadsheet to their private email so they can “finish it later on the sofa”.

No one writes this down as a process. There’s no policy, no real controls and usually no conversation about data protection. It’s all in the name of getting the job done and keeping customers happy.

Fast forward a few months and customer details are dotted around on a mixture of personal phones, tablets, home laptops, Gmail accounts and iCloud/Google Drive/Dropbox folders. If you tried to draw a map of where your data actually lives, it would be guesswork.

Nothing is joined up. Nobody has written this down as “how we do things around here”. It’s just people trying to be helpful and get things done.

Until, one day, you realise:

• You don’t know which personal devices your customer data is sitting on.
• Ex-employees still have client contact lists and old emails on their phones.
• Work conversations and documents are buried in WhatsApp, Messenger, Gmail and personal cloud accounts that you don’t control.

At that point, it’s not just untidy. It’s a GDPR and business-continuity headache.

What’s actually on those personal mobiles and devices?

If you ask a member of staff what they’ve got on their phone, they’ll probably say, “Just numbers and WhatsApp.” Dig a little deeper and, in a typical SME, it often includes:

• Customer names, mobile numbers and email addresses
• Email threads and attachments going back months or years
• Photos of whiteboards, contracts, ID documents or job notes
• Files saved to personal iCloud, Google Drive or Dropbox
• Call history, voicemail and message logs

Under UK GDPR, anything that can identify a person is personal data. That includes your employees, your customers, residents, service users, parents, suppliers – everyone.

If those details live on personal devices and personal apps, you’ve already lost a chunk of control.

GDPR: why this is more than “messy but manageable”

UK GDPR and the Data Protection Act 2018 don’t say you can never use personal devices. What they do say is that you must protect personal data properly, know where it is, and be able to respond when someone exercises their rights or when something goes wrong.

That’s where SMEs using staff’s own phones and kit hit trouble.

You can’t honestly say:

• exactly where all the personal data is stored;
• who can see it (including partners, children, friends, or other apps on the device);
• whether it’s encrypted, backed up securely or protected by a strong password;
• that you can delete it when you no longer need it.

If a customer asks for a copy of their data, you’re supposed to be able to search your systems and respond properly. That becomes incredibly difficult if half the story is in personal inboxes, private chats and photos on staff mobiles.

If someone demands that you delete their data, you’re expected to do more than shrug and say, “We’ve wiped what’s in the office – no idea what’s on everyone’s phones.” For a small or medium-sized employer, that kind of answer can cause serious problems if a complaint reaches the ICO.

The real cost for SMEs: not just fines

Fines get the headlines, and yes, the ICO has the power to hit organisations with large penalties. But for most SMEs, the bigger impact comes from everything wrapped around a data issue.

Think about the practical cost of a lost phone with unprotected customer data, or a disgruntled leaver walking away with a full client list:

• You may need urgent IT help to understand what’s at risk and what can be recovered.
• You may need legal advice on your obligations, contracts and next steps.
• You may have to notify the ICO and affected customers, then manage their questions and complaints.
• Senior people lose days dealing with the fall-out rather than running the business.

Then add reputational damage. Customers today pay attention to how their data is handled. If they find out their details were sitting in unprotected personal apps, that trust evaporates quickly. One detailed LinkedIn post or Google review can have a real impact on a local business.

And there’s the commercial risk: if a key employee leaves with your customer list, you may lose contracts, see relationships damaged or watch as a competitor suddenly becomes very popular with people you worked hard to win.

All of that because “just use your own phone” felt cheaper than a basic business handset.

Who owns your customer data if it lives in someone’s pocket?

This is where things get really uncomfortable for smaller employers.

If everything is held in your CRM, your business email system and your shared drives, it’s clear that those records belong to the company. You can back them up, audit them, and remove access when someone leaves.

If customer details, pricing, discount agreements and complaint history have all grown up inside a personal contacts list and private chats, those lines blur.

An employee resigns, or you have to dismiss them. They walk out with your live customer base still easily accessible on their personal phone. The contract may say they mustn’t use it, but proving what they’ve got and what they’ve done with it is a completely different story.

From a GDPR perspective, you’re also in a weak position. You can’t genuinely say where that data is or who has access to it – but as the employer, you’re still the one responsible.

Why you can’t just “make them wipe it”

A lot of owners assume that, if push comes to shove, they can simply insist that staff delete everything and show them the phone as proof.

In reality, it’s rarely that simple.

Personal phones, laptops and tablets are exactly that – personal. Unless you’ve put very clear contractual rights and technical controls in place from the start, you can’t just take someone’s phone, reset it, or start scrolling through their photos and private messages.

Even if people are trying to do the right thing, it’s hard to be certain all the data has gone. Old backups, synced cloud accounts, archived email, screenshots and old devices in drawers can all quietly keep hold of information.

Once your data has spread onto personal tech, getting it back under control is difficult, time-consuming and rarely perfect.

Getting a grip: 

what SMEs can realistically do about personal devices 

If you’re reading this thinking, “We’re already letting people use their own phones and laptops,” you are absolutely not alone. The answer isn’t panic – it’s getting structured.

For most small and medium-sized employers, the journey looks something like this:

Work out what’s actually happening now

Talk to people. Which roles regularly use personal devices for work? What systems do they access? What kind of personal data is involved? This doesn’t have to be a massive project, but you need a clear picture.

Decide your approach

Broadly, you have a few choices:

Company-owned devices for anyone who handles personal data regularly (sales, managers, HR, admin).

A controlled “bring your own device” arrangement with proper tools (for example, separate work profiles, mobile device management, or container apps that keep company data in its own secure box).

A mix of both, but based on conscious decisions, not habit.

Put it in writing – in plain English

For SMEs, you need to put in place a simple, practical policy. If the policy reads like a 20-page IT manual, no one will follow it. It needs to be short, clear and written for normal humans detailing everything the company needs to protect itself.

Strengthen the tech where you can

Switching away from random personal accounts to proper business tools makes a big difference. Business-grade email and collaboration systems give you much better control over who can access what, and they make it easier to cut off access quickly.

Where it fits, use tools that allow “selective wipe” – removing company data from a device without touching the employee’s personal apps and photos. But again, this needs to be set up and agreed in advance.

Fix your leaver process

When someone leaves, especially if they’ve had access to personal data:

• remove access to email, shared drives and systems promptly;
• collect any company-owned phones, laptops or tablets;
• ask them to confirm, in writing, that they’ve deleted any company data held on personal devices or accounts.

You can’t make this fool-proof, but you can show you’ve taken reasonable, documented steps – and that counts for a lot.

Train managers not to create the problem

Finally, managers need to stop creating the risk without realising it. Casual instructions like “just WhatsApp me the spreadsheet” or “send it to my personal email so I see it quicker” are exactly how these habits bed in.

A short, targeted briefing can go a long way: here’s what you can use, here’s what you can’t, and here’s why it matters.

Is a business phone really more expensive?

Once you add up the potential costs of a breach, a complaint or a key leaver walking away with your customer data, a basic business mobile suddenly doesn’t look that expensive.

With a company device, you decide what gets installed, how it’s secured and what happens to it when employment ends. You can enforce your policies. You have a stronger position with the ICO if something does go wrong. And you avoid a lot of awkward “who owns what” conversations.

For many SMEs, the sensible answer is a blended approach: company devices for higher-risk roles, tightly controlled limited use of personal tech where the risk is low and the benefit is clear. The key is that it’s deliberate, managed and documented – not just a habit that grew because no one wanted to say no.

Bringing it back to basics

If customer data is sitting in people’s pockets, on their sofas and in their personal cloud accounts, you’re carrying a much bigger risk than most small and medium-sized employers realise.

You could be:

• struggling to comply with GDPR if someone challenges you;
• exposed if a phone is lost, stolen or hacked;
• vulnerable if a member of staff leaves with your contacts and conversations still at their fingertips.

It’s far easier – and far cheaper – to get ahead of this now than to deal with it under pressure after something has gone wrong.

If you’d like help to review how your people are currently using their own devices, put a sensible policy in place or train managers in what “good” looks like, this is exactly the kind of practical, plain-English support KeyHR offers to SMEs.