SaaS Agreements – Data Protection – BYOD

Employees are increasingly using their privately owned devices (i.e. Ipads, tablets, mobile phones and laptops) for business purposes and may be accessing SaaS customer data using them. SaaS suppliers who allow staff to use such “bring your own devices” (BYOD) for work purposes should be aware of their duties to protect any SaaS customer personal data being accessed by staff using such BYODs.

ICO Guidelines

In March 2013 the Information Commissioner’s Office (ICO) published guidelines providing advice on how to protect personal data that is accessed using a BYOD. The Commissioner underlined the fact that SaaS suppliers are obliged to look after personal data for which they are responsible  under the Data Protection Act 1998 (Act) regardless of ownership of the device used to carry out the processing.

In order to protect SaaS customer data and to comply with their duties under the Act, SaaS suppliers who permit staff to access data on a BYOD should:

  • ensure that the BYOD is password-protected;
  • ensure that data is encrypted when it is transferred;
  • ensure that data is encrypted when it is stored; and
  • consider having a BYOD policy for staff.

BYOD Policy

SaaS suppliers should either prohibit BYOD and the ability to access SaaS customer data for work purposes on such devices entirely or they should permit access within the scope of a BYOD policy.

A BYOD policy should contain rules on the use of personal devices by staff, setting out:

  • which employees are allowed to use a BYOD, i.e. senior management;
  • what types of devices may be used;
  • which types of data may be accessed via the device;
  • how devices will be protected against loss, theft or hacking i.e. by requiring the use of passwords, pins and/or encryption;
  • how data should be deleted when an employee leaves or disposes of a device;
  • how and when use of the device will be monitored; and
  • sanctions for breach of the BYOD policy.

Ownership and Deletion of Data

A BYOD policy should also state that any work data i.e. contact details or content i.e. business documents will remain the property of the SaaS supplier. Employees should agree to the SaaS supplier being permitted to:

  • delete work data and content from the device; and
  • make copies of work data and content if an employee leaves the company’s employment.


SaaS customers are more likely to choose SaaS suppliers who demonstrate that they control and monitor the use of SaaS customer data on BYODs. Having a clear BYOD policy in place will often satisfy a SaaS customer’s concerns about the use and storage of personal data in accordance with the SaaS agreement terms.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

Speaker at the Berlin CloudConf 2013.

To register for my newsletter click here


Other related articles: