Bring Your Own Device (BYOD) is the norm at most small businesses, even if it is not formal policy. Staff check email on personal phones, open files on home laptops, and use personal tablets for video calls. Without a written policy, you have no way to enforce minimum security standards or address a situation where a personal device is lost and contains company data. Here is a BYOD policy template for BC businesses.
Why a Written Policy Matters
BC PIPA requires that you protect personal information using appropriate safeguards. If company data containing client personal information is accessible from unmanaged personal devices, that is a compliance risk. A written BYOD policy that requires minimum security standards - screen lock, encryption, remote wipe consent - is the documented safeguard.
A written policy also sets expectations for employees. Staff who understand the rules are less likely to make accidental disclosures and more likely to report a lost or stolen device promptly. Ambiguity creates risk.
Policy Section 1: Scope and Eligibility
Define which employees may use personal devices for work, which types of devices are permitted (smartphones, tablets, laptops), and which work activities are permitted on personal devices. Common restrictions: no access to client files from personal devices, personal devices may be used for email and calendar only, or personal devices require MDM enrollment for any access.
Specify which data categories are prohibited on personal devices: payroll data, client contracts, regulated personal information. Some businesses prohibit personal device access to specific applications that hold sensitive data.
Policy Section 2: Minimum Security Requirements
Personal devices used for work must meet minimum standards: screen lock with PIN, password, or biometric, OS and app updates applied within 30 days of release, reputable security software on Android (iOS's built-in security is generally acceptable), no jailbreaking or rooting.
Specify that the employee must report a lost or stolen device within four hours of discovering the loss. Your IT team needs to know promptly to revoke access credentials and initiate remote wipe if necessary.
Policy Section 3: Acceptable Use
Define what employees may and may not do with company data on personal devices. Acceptable: reading and responding to email, joining video calls, accessing cloud documents through official apps. Not acceptable: downloading company files to local device storage, using personal cloud storage accounts to share work files, using work accounts for personal purposes.
The line between work and personal use on a personal device is inherently blurry. Your policy does not need to be exhaustive, but it needs to define the clear prohibitions so that violations can be identified and addressed.
Policy Section 4: Remote Wipe and Privacy
Include a clause stating that the company reserves the right to remotely wipe company data and applications from enrolled devices in the event of a security incident or device loss. Use Microsoft Intune's selective wipe capability, which removes only company data and applications without wiping personal photos and apps.
Balance the wipe capability with a clear privacy commitment: the company will not access personal data on the device, will not monitor personal applications, and will not use device management for purposes other than security. This balance is essential for employee trust.
Implementing the Policy with MDM
A written policy needs a technical enforcement layer. Microsoft Intune with app protection policies allows you to enforce data protection requirements on personal devices without full MDM enrollment. The policy applies to Outlook, Teams, and other M365 apps while leaving personal apps untouched.
North Star configures Intune app protection policies as part of our M365 deployment engagements. Contact us if you need help moving from a written BYOD policy to a technically enforced one.