Bring Your Own Device (BYOD) Policy

Protection of personal data and privacy under Republic Act No. 10173 - Data Privacy Act of 2012

BYOD Purpose

The BYOD policy at Xymbolic IT Solutions Provider Corporation is designed to:

  • Enable flexibility and productivity by allowing employees to use their personal devices for work-related tasks.
  • Ensure data protection and regulatory compliance, especially with the Data Privacy Act of 2012 (RA 10173), by enforcing strict security protocols.
  • Define clear responsibilities for employees and IT administrators in managing device access, data handling, and breach response.
  • Safeguard company systems and sensitive information from unauthorized access, loss, or misuse when accessed via personal devices.


To provides policies, standards, and rules of behavior for the use of personally owned Smartphones and/or Tablets by employees to access corporate resources and/or services. Access to and continued use is granted on condition that each user reads, signs respects, and follows the policies concerning the use of these resources and / or services. This policy is intended to protect the security and integrity of the company data and technology infrastructure. Limited exceptions to the policy may occur due to variations in devices and platforms.


The BYOD and Acceptable Use Policy applies to all employees, interns, contractors, vendors, and anyone using assets. Policies are the organizational mechanism used to manage the confidentiality, integrity and availability issues associated with information assets. Information assets are defined as any information system (hardware or software), data, networks, and components owned or leased by or its designated representatives.


This policy provides guidelines for using personally owned devices and related software for corporate use. Applicability The BYOD policy applies to all employees, contractors, vendors, and any other person using or accessing information or information systems. Exceptions to this policy must be approved by the CIO or a designated representative. Furthermore, based on the amount of personally identifiable information (PII) employees work with, management reserves the right to determine which employees can use personally owned devices and which cannot

Increased Mobility and Convenience

Employees can work from anywhere using familiar devices, improving responsiveness and reducing dependency on company-issued hardware.

Cost Efficiency

Reduces hardware procurement and maintenance costs for the company by leveraging employee-owned devices.

Enhanced Productivity

Employees are more comfortable and efficient using their own devices, which can lead to faster task completion and better engagement.

Improve Data Security

With enforced encryption standards and breach reporting protocols, the policy minimizes risks associated with data leaks and cyber threats.

Regulatory Compliance

Aligns with RA 10173 by ensuring lawful, transparent, and secure processing of personal and company data across all BYOD activities.

Employee Empowerment

Provides autonomy while reinforcing accountability through training, monitoring, and policy adherence.

BRING YOUR OWN DEVICE (BYOD) POLICY

Xymbolic IT Solutions Provider Corporation

Effective Date: 01/01/2020

Version: 1.0

To provide guidelines for the secure and responsible use of personal devices for work-related activities, ensuring compliance with the Data Privacy Act of 2012 (RA 10173).

Applies to all employees, contractors, interns, and third-party service providers using personal devices to access company systems and data.

  • Use personal devices only for authorized work tasks.
  • Do not store or transmit sensitive data unless encrypted and approved.
  • Avoid installing unauthorized software or accessing prohibited content.
  • Use strong passwords and enable device encryption.
  • Install antivirus software and allow remote wipe capability.
  • Avoid unsecured public Wi-Fi when accessing company resources.
  • Personal data must be processed lawfully and transparently.
  • Access to sensitive data is restricted and monitored.
  • Breaches must be reported immediately to the Data Protection Officer (DPO).
  • Devices may be audited periodically.
  • Usage logs will be maintained for accountability.

Employees participating in the BYOD program must:

  • Register devices with the IT department.
  • Maintain device security and software updates.
  • Report lost, stolen, or compromised devices immediately.
  • Protect company data and credentials.
  • Comply with all company policies and cooperate with audits.
  1. Submission: Complete the BYOD Registration Form and submit device details.
  2. Approval: IT reviews for compatibility and security compliance.
  3. Configuration: IT assists with secure setup and access.
  4. Confirmation: Users receive approval and acknowledge policy terms.

Devices must meet the following minimum standards:

  • OS: Windows 10+, macOS 11+, Android 10+, iOS 14+
  • Hardware: 4GB RAM, 64GB storage, camera/mic, Wi-Fi/Bluetooth
  • Security: Encryption, biometric or password protection, antivirus
  • Software: Must support company-approved apps and remote management
  • Report suspected or confirmed breaches within 24 hours to the DPO and IT Security Team.
  • Include device type, breach details, and actions taken.
  • IT will initiate containment and investigation.
  • A formal incident report is required.
  • DPO will assess and notify affected parties or the NPC if needed.
  • User Responsibility: Maintain device functionality and security software.
  • IT Support Scope: Initial setup, connectivity, and approved app support.
  • Limitations: IT does not repair hardware or support non-approved third-party apps.
  • Device-Level Encryption: Full-disk encryption must be enabled.
  • Data-in-Transit Encryption: Use secure protocols (HTTPS, SSL/TLS, VPN).
  • Data-at-Rest Encryption: Sensitive files must be encrypted locally or in cloud storage.
  • Key Management: Encryption keys must be securely stored and never shared.
  • Remote access is permitted only via registered and approved devices.
  • VPN and multi-factor authentication are mandatory.
  • Remote sessions must be logged out when not in use.
  • Access from unsecured networks is prohibited unless using VPN.
  • All remote activity is monitored for compliance.

All BYOD users must adhere to the following internal policies:

  • Acceptable Use Policy
  • Information Security Policy
  • Confidentiality Agreements
  • Code of Conduct
  • Data Privacy Guidelines

Violations may result in disciplinary action, revocation of BYOD privileges, or legal consequences.

To ensure proper understanding and compliance with BYOD standards:

  • Mandatory Orientation: All BYOD participants must attend a training session on device security, data privacy, and acceptable use.
  • Annual Refresher Courses: Employees must complete yearly updates on BYOD policies and cybersecurity best practices.
  • Specialized Modules: Additional training may be required for employees handling sensitive data or accessing critical systems.
  • Certification: Completion of training will be documented and required for continued BYOD access.
  • Support Materials: Guides, FAQs, and helpdesk support will be available to assist employees in maintaining compliance.
  • Access will be revoked upon termination or policy violation.
  • Devices must be wiped of company data before clearance.
  • Disputes will be resolved through negotiation, then mediation.
  • If unresolved, arbitration under PDRCI rules will be final and binding.

Data Protection Officer (DPO)
Email: dataprotection@xymbolic.com.ph
Phone: +63.919.9915.377