Skip to main content
Book a call — £89
Menu

Laptop & Mobile Working Policy UK: Employer Guide

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofUK Employment Law Guide for Employers (2025)

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
Mobile devices have quietly become the backbone of how most UK businesses actually operate. Laptops travel between home offices and client sites, phones carry confidential emails, and tablets hold client records that would once have been locked in filing cabinets. That convenience comes with exposure. A lost device on a train, a compromised home Wi-Fi network, or an employee downloading a dodgy app can put company data and customer information at real risk. A Laptop and Mobile Working Policy is the document that sets out, in plain terms, how your people are expected to use portable devices, what protections must be in place, and what happens when something goes wrong. I'm Brad Askew, and in this guide I'll walk you through what a strong policy looks like, why it matters, and how to think about tailoring one for your own organisation.

What this document is

A Laptop and Mobile Working Policy is an internal document that governs how staff, contractors and anyone else using your business devices can handle company information on the move. It sits alongside wider IT, acceptable use and data protection policies, and it plugs a specific gap: the risks that arise the moment a device leaves the office.

The policy typically covers company-issued laptops, smartphones, tablets and, in some organisations, personal devices used for work under a Bring Your Own Device arrangement. It spells out expectations around physical security, password management, encryption, software updates, virus protection, use of public Wi-Fi, reporting lost or stolen kit, and what to do when someone leaves the business.

Because UK employers are responsible for personal data they hold under the UK GDPR and Data Protection Act 2018, a clear written policy is also part of demonstrating that you take information security seriously. It protects the business, gives employees certainty, and helps you respond quickly if an incident occurs.

How to use this document

  1. Map who and what the policy needs to cover. Start by listing every category of user who handles company data away from the office, including permanent staff, part-timers, contractors and any third-party service providers. Then list the device types in scope, such as company laptops, mobile phones, tablets, and personal devices if you allow them. This scoping exercise stops gaps appearing later.
  2. Set your security baseline. Decide the minimum technical controls every device must meet before it leaves the premises. This usually includes full-disk encryption, strong passwords or biometric login, automatic screen locking, up-to-date operating systems, and active anti-virus or endpoint protection. Write these requirements in clear language so non-technical staff understand what they need to do.
  3. Define acceptable use and clear boundaries. Set out what employees can and cannot do on company devices. Cover personal use, software installation, connecting to public Wi-Fi, downloading files, and using cloud storage or messaging apps for work. The clearer the rules, the easier it is to deal with problems fairly if someone steps over the line.
  4. Build in incident reporting and loss procedures. Explain exactly what a user must do if a device is lost, stolen, or behaves oddly. Include who to contact, how quickly, and what information to provide. Fast reporting is often the difference between a contained incident and a reportable personal data breach under UK GDPR.
  5. Consult, roll out and review regularly. Share a draft with managers and, where relevant, employee representatives before finalising. Once approved, circulate the policy, get written acknowledgement from staff, and fold it into onboarding. Diary a review at least annually, or sooner if your tech stack, working patterns or the legal landscape shifts.

Common questions

If you're dealing with this kind of situation, speak to an experienced legal adviser who can walk you through it — from £89.

Common questions

Q Is a Laptop and Mobile Working Policy legally required in the UK?
There is no single law that says you must have this exact policy. However, UK GDPR and the Data Protection Act 2018 require you to put appropriate technical and organisational measures in place to protect personal data. A written policy covering mobile working is one of the most practical ways to show you have thought about the risks and set clear expectations for staff, which can matter significantly if the ICO investigates an incident.
Q Does the policy apply to personal devices used for work?
It can, and in most modern workplaces it should. If you permit Bring Your Own Device, the policy needs to address how company data is separated from personal data, what software must be installed, and what happens to business information when the employee leaves. If you do not allow personal devices for work, say so clearly so there is no ambiguity.
Q What should happen if a laptop or phone is lost or stolen?
Your policy should require immediate reporting to a named contact, usually IT or a data protection lead. From there the business can trigger remote wipe, revoke access credentials, and assess whether a personal data breach has occurred. Under UK GDPR, qualifying breaches must be reported to the ICO within 72 hours, so a slow internal response can create serious compliance problems.
Q Can we monitor employee use of company laptops and phones?
Monitoring is possible, but it needs to be proportionate, clearly communicated, and compliant with data protection law. Staff should be told what is monitored, why, and how the information is used, normally through the policy itself and a privacy notice. Covert monitoring is very rarely justifiable and carries significant legal risk if not handled carefully.
Q How often should the policy be reviewed?
A yearly review is a sensible minimum. You should also revisit the policy whenever you change key technology, adopt new working patterns such as permanent hybrid working, experience a security incident, or when relevant law or ICO guidance is updated. Treat the policy as a living document rather than something you write once and forget.
Q Does the policy need to cover contractors and freelancers?
Yes, if they access company systems or handle business data on portable devices. Their contracts should reference the policy and require compliance. This matters because your responsibility for personal data does not disappear just because the person holding it is not an employee, so the same baseline controls need to apply.
Q What happens when an employee leaves the business?
The policy should set out a clear offboarding process covering the return of company devices, removal of business data from any personal devices, revocation of system access, and deletion of saved credentials. Tying this into your wider leavers process reduces the risk of former staff retaining access to confidential information after they have moved on.
If you're dealing with this kind of situation, speak to an experienced legal adviser who can walk you through it — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.