The ICO published a guidance to help data controllers fully understand their obligations and promote good practice for the case in which the user of the device is not the data controller.
Bring your own device (BYOD) raises a number of data protection concerns. Therefore:
It is crucial that the data controller ensures that all processing for personal data which is under his control remains in compliance with the UK Data Protection Act 1998.
Protecting data in the event of loss or theft of the device will need to be considered but not to the exclusion of other risks.
Data controllers must also remain mindful of the personal usage of such devices and technical and organisations used to protect personal data must remain proportionate to and justified by real benefits that will be delivered.