BYOD Policy: How to Manage Personal Devices in Nonprofits

Letting staff use their own phones, tablets or laptops at work, better known as Bring Your Own Device (BYOD) can be a smart move for nonprofits. It slices hardware costs and also empowers employees with greater flexibility, an important element in today’s remote and hybrid work environments. But without the right policies in place, it also opens the door to security risks, compliance challenges and support challenges.

This blog will show you how to get ahead of those risks with a strong, practical BYOD policy. We’ll walk you through why it matters, what to include, and how to roll it out efficiently across your charity or nonprofit.

Whether you’ve got a policy that needs refreshing or you’re starting from scratch, we’ll help you make BYOD work for your organisation, not against it.

BYOD Policy: Does Your Charity Really Need One?

Ideally, yes. Since the shift to hybrid and remote working, it’s become totally normal for charity staff and volunteers to check emails from their own phones, attend virtual meetings on personal laptops, or store files on home devices. This flexibility has its perks, but it also comes with serious accountabilities. If your nonprofit doesn’t yet have a formal Bring Your Own Device (BYOD) policy in place, now’s the time to change that.

What is a BYOD Policy?

A BYOD IT policy sets clear rules and expectations around how staff can use their own devices for work. That includes accessing email, connecting to the company’s network, and handling sensitive information or systems through corporate apps. Most people think of mobile phones first, and for good reason, but tablets, laptops and even USB drives all fall under the same umbrella.

This trend has only grown within the nonprofit sector. With stiffer budgets and more flexible working arrangements, charities have leaned into BYOD as a practical solution. 

However, it’s essential to note that although the device belongs to the individual, the charity remains responsible for safeguarding any data stored or accessed through it.

That’s why a successful BYOD setup always starts with a clear, written policy. This document should be accessible to everyone, from full-time staff to temporary volunteers, and give them the guidance they need to stay secure, compliant and productive.

Risks and Challenges Associated with BYOD

Charities are already a top target for cybercriminals due to the sensitive nature of the data they hold and the resource pressures they face. Adding personal devices into the mix only increases your exposure, unless it’s properly managed.

Here are the top risks and why having a BYOD IT policy isn’t just sensible, it’s essential:

• Data Security Concerns
• Compliance Issues
• Device Management Difficulties
• Employee Privacy

Data Security Concerns

Personal devices don’t always have the same security controls as corporate ones, making it easier for unauthorised access or security breaches to occur. A strong BYOD policy helps set standards for encryption, remote wiping and secure app use for effective data loss prevention.

Compliance Issues

Nonprofits still need to conform to data protection regulations, even when data is accessed on someone’s personal device. Without proper controls, it’s far too easy to fall foul of GDPR or other legal requirements. Your policy should make compliance crystal clear.

Device Management Difficulties

From software updates to antivirus tools, guaranteeing every type of device meets your organisation’s standards can be tricky. A policy helps regulate what’s allowed and what support is in place if something goes wrong.

Employee Privacy

No one wants to feel like their employer is snooping through their phone. Your policy needs to strike the right balance, protecting your charity’s data without breaking into personal boundaries.

And remember, even with the right policy, it pays to have backup protection, such as cyber insurance, which can offer critical support in the event of a breach, something every charity should consider.

What Are Four Common Provisions in a Corporate BYOD Policy?

Most corporate BYOD policies, whether in the private sector or nonprofit space, share a few baseline rules. These aren’t just there to keep IT teams happy, they’re vital for creating a safe, respectful and efficient working environment.

Common provisions include:

• No Harassment or Misuse

Personal devices used for work purposes are still subject to your charity’s code of conduct. A strong BYOD IT policy makes it clear that harassment, inappropriate content, or any kind of misuse won’t be allowed, even if the device technically belongs to the user.

• Device Password Protection

At a minimum, any device connecting to work resources must be protected by a strong password or PIN. This simple measure can prevent major data breaches in the event a phone or laptop is lost or stolen.

• Standard Security Practices

BYOD doesn’t mean ‘bring your own rules.’ A decent policy outlines what kind of security measures and habits are required, from antivirus software to safe browsing practices, so everyone’s working to the same standard.

• Acceptable Use Guidelines

Staff need to know what’s okay and what’s off-limits. Whether it’s averting unsecured apps, not syncing work data to personal cloud storage, or using a VPN outside the office, clear guidance makes a big difference.

Key Elements of a BYOD Policy

To make BYOD work for your nonprofit, you need a clear and comprehensive policy. Here are eight fundamentals every policy should cover:

• Allowed Devices
• Security Software
• Security Settings
• VPN Use
• Allowed or Forbidden Apps
• Regular Updates
• Remote Wiping
• Data Ownership

Allowed Devices

Start by defining exactly what’s allowed. That includes specifying device types (smartphones, tablets, laptops), operating systems (iOS, Android, Windows), and even software versions. Devices that are jailbroken or rooted should be off-limits, as they can bypass built-in security. Outdated systems that no longer receive updates should also be eliminated; they’re too risky.

Security Software

Numerous organisations require devices to have specific security features installed, such as antivirus protection, endpoint detection or mobile device management (MDM) apps. These ensure that even on personal hardware, there’s a standard of defence.

Security Settings

Modest configurations can go a long way. Your policy should require devices to auto-lock after a short period of inactivity, and to be accessible only via strong authentication, like a fingerprint, passcode or facial recognition. This helps block opportunistic breaches if a device ends up in the wrong hands.

VPN Use

Remote work often means logging on from cafes, public transport or home broadband. A Virtual Private Network (VPN) encrypts traffic between the user’s device and your company network, helping keep sensitive data private, even on insecure Wi-Fi.

Allowed or Forbidden Apps

Instead of trying to whitelist every safe app, many policies take the contrasting approach, banning high-risk tools like unauthorised file-sharing or messaging apps. These apps can open the door to malware or data leaks, so it’s safer to be strict.

Regular Updates

Most software updates aren’t just for new features; they’re for repairing security flaws. The policy should state that updates to apps and operating systems must be installed promptly, ideally within 24 hours of release.

Remote Wiping

If a device goes missing, your organisation needs a way to protect its business data. The policy should require users to report lost devices immediately and agree to remote wiping if the device isn’t recovered promptly. This can be automated through MDM software.

Data Ownership

While the device may be personal, the data on it isn’t. Your policy should distinctly state that all company data belongs to the organisation. If someone leaves the charity, they’re expected to delete that data immediately and confirm they’ve done so.