Published: 17 March 2026 • Compare The Networks
Every business mobile phone in your organisation is a portable database of personal data. Contacts, emails, text messages, call logs, photographs, app data, location history, calendar entries, and cloud-synced files — all of it falls under the scope of UK GDPR. If you are not actively managing the data on your business phones, you are almost certainly not compliant. A single lost or stolen device with an unlocked screen could trigger an ICO-reportable data breach, fines, and reputational damage that far exceeds the cost of proper mobile data management.
This guide provides a comprehensive overview of how UK GDPR applies to business mobile phones in 2026, covering company-owned devices, BYOD (Bring Your Own Device), MDM (Mobile Device Management), employee departures, data breaches, and a practical 10-point compliance checklist you can implement immediately.
How GDPR Applies to Business Mobile Phones
UK GDPR applies to any device that processes personal data — and business mobile phones process personal data constantly. Every time an employee saves a contact, sends an email, receives a text message, takes a photo of a document, or logs into a CRM app, personal data is being processed on that device.
Your business is the data controller for any personal data processed on business devices. This means you are responsible for:
- Ensuring the data is processed lawfully, fairly, and transparently
- Collecting only the data that is necessary (data minimisation)
- Keeping data accurate and up to date
- Not storing data for longer than necessary (storage limitation)
- Protecting data with appropriate technical and organisational measures (security)
- Being able to demonstrate compliance (accountability)
These are not abstract principles — they translate directly into practical requirements for how you configure, manage, and control business mobile phones.
Key GDPR Principles Applied to Mobile Devices
Data Minimisation
Only collect and store the personal data you actually need. On a business phone, this means:
- Do not sync every contact from a CRM to the phone if the employee only needs a subset
- Delete old messages and emails that are no longer needed
- Do not store customer documents locally on the device when they could remain in the cloud
- Disable automatic photo and video backups if they might capture personal data inadvertently
Storage Limitation
Personal data should not be kept on a mobile device indefinitely. Implement automatic deletion policies:
- Set email retention periods (e.g., delete emails older than 12 months from the device)
- Clear message history periodically
- Remove ex-customer contacts that are no longer needed
- Review and purge downloaded files regularly
Security (Integrity and Confidentiality)
You must take “appropriate technical and organisational measures” to protect personal data. For mobile phones, this means:
- Mandatory screen locks (PIN, fingerprint, or face recognition)
- Full device encryption (enabled by default on modern iOS and Android devices)
- Remote wipe capability
- Secure connections (VPN for accessing company systems)
- Regular software updates and security patches
- Restrictions on installing unverified apps
Accountability
You must be able to demonstrate that you are complying with GDPR. For mobile devices, this means:
- Having a written mobile device policy
- Documenting your MDM configuration and security settings
- Keeping records of device assignments (who has which phone)
- Logging device wipes and data deletion actions
- Training employees on data protection responsibilities
What Counts as Personal Data on a Business Phone?
The scope of personal data on a business mobile is broader than most people realise:
| Data Type | Examples | GDPR Relevance |
|---|---|---|
| Contacts | Customer names, phone numbers, email addresses | Directly identifiable personal data |
| Emails | Inbox, sent items, drafts containing personal information | May contain sensitive personal data, financial details, health information |
| Messages | SMS, WhatsApp, Teams, Slack messages | Conversation content often contains personal data |
| Call logs | Numbers called, call duration, timestamps | Reveals communication patterns and relationships |
| Photos and videos | Images of documents, ID photos, site photos with people | Photographic identification is personal data; photos with location data doubly so |
| App data | CRM records, accounting data, HR records | Business apps often cache personal data locally on the device |
| Location data | GPS history, check-ins, map searches | Location data can identify individuals and reveal sensitive information |
| Calendar | Appointments with customer names, meeting notes | Contains names, contact details, and potentially sensitive meeting subjects |
| Browser data | Saved passwords, autofill data, browsing history | May include login credentials for systems containing personal data |
Company-Owned Phones: GDPR Advantages
Company-owned devices give your business the maximum level of control over personal data, which is a significant advantage for GDPR compliance:
- Full MDM control — You can install and enforce MDM policies across all devices, including mandatory encryption, screen locks, app restrictions, and remote wipe.
- Device retrieval — When an employee leaves, you get the phone back. There is no ambiguity about data ownership or access.
- Consistent configuration — All devices are configured identically with the same security settings, app restrictions, and policies. This makes compliance auditing straightforward.
- Remote wipe — If a phone is lost or stolen, you can wipe it immediately without negotiating with the employee about their personal data.
- Update management — You can enforce timely installation of security updates and OS patches across all devices.
- App management — You control which apps are installed, preventing employees from installing risky or data-harvesting applications.
For businesses handling sensitive personal data (healthcare, legal, financial services), company-owned phones with strict MDM are effectively the only GDPR-compliant option. The level of control required is simply not achievable on personal devices.
Company Phones for GDPR Compliance
Company-owned phones with business contracts give you full control over data and devices. We compare deals across all UK networks to find the best fit for your business.
Get a Free QuoteBYOD Phones: GDPR Challenges
Bring Your Own Device (BYOD) policies introduce significant complexity for GDPR compliance. When employees use their personal phones for work, you face several challenges:
Limited Device Control
You cannot mandate full MDM on a personal device — only the work container or profile. The employee controls the rest of the device, including the operating system version, security settings, and installed apps.
Data Separation
Work data and personal data coexist on the same device. Containerisation apps (such as Microsoft Intune’s managed apps, Samsung Knox Workspace, or Android Enterprise work profile) create a separate, encrypted workspace for business data. This is essential — without containerisation, personal and business data cannot be reliably separated.
Employee Consent
MDM on a personal device requires the employee’s consent, and they can withdraw that consent at any time. If they do, you must have a plan for immediately revoking access to company data.
Remote Wipe Limitations
On a company phone, you can wipe the entire device. On a BYOD device, you can only wipe the work container. If an employee has been saving work files outside the container (e.g., downloading email attachments to the camera roll), that data cannot be remotely wiped without affecting personal files.
BYOD Policy Requirements
If you allow BYOD, you need a clear, written BYOD policy that covers:
- Minimum security requirements (OS version, screen lock, encryption)
- Mandatory containerisation software
- What happens when the employee leaves (work container wipe)
- What the employer can and cannot see on the device
- Employee responsibilities for device security
- Reporting requirements for lost or stolen devices
- Consequences of policy non-compliance
MDM (Mobile Device Management) for GDPR Compliance
MDM is the single most effective technical measure for GDPR compliance on business mobile phones. It provides the control, visibility, and enforcement capabilities that GDPR requires.
What MDM Can Do
- Enforce screen locks — Mandate minimum PIN length, biometric authentication, and auto-lock timeouts
- Encrypt data — Verify and enforce full-device encryption on all managed devices
- Remote wipe — Erase all data from a lost or stolen device within minutes, significantly reducing breach severity
- Restrict app installations — Block unapproved apps that could compromise data security
- Enforce updates — Require timely installation of OS and security updates
- Monitor compliance — Dashboard showing which devices are compliant and which are not
- Geo-fencing — Restrict certain data or features based on geographic location
- VPN enforcement — Require VPN connection when accessing company systems
- Certificate management — Deploy security certificates for email and Wi-Fi authentication
Popular MDM Solutions for UK Businesses
| Solution | Best For | Key Feature |
|---|---|---|
| Microsoft Intune | Businesses using Microsoft 365 | Included in many M365 plans; seamless integration with Outlook, Teams, OneDrive |
| Samsung Knox | Samsung device fleets | Hardware-level security; deep device control for Samsung phones |
| Apple Business Manager | iPhone/iPad fleets | Zero-touch deployment; supervision mode for full control |
| VMware Workspace ONE | Large enterprises, mixed fleets | Supports iOS, Android, Windows; advanced analytics |
| Jamf | Apple-only businesses | Best-in-class Apple device management |
What to Do When an Employee Leaves
Employee departure is one of the highest-risk moments for mobile data protection. Having a clear, documented process is essential:
Company-Owned Phone
- Retrieve the device — Collect the phone on or before the employee’s last day
- Back up business data — If there are conversations, files, or app data that the business needs to retain, back them up before wiping
- Factory reset — Perform a full factory reset to erase all data
- Revoke account access — Deactivate the employee’s email, CRM, cloud storage, and all other business accounts
- Change shared passwords — Update any shared credentials the employee had access to
- Document the process — Record what was done and when as evidence of GDPR compliance
- Reassign or redeploy — Set up the phone for the next employee or return it to stock
BYOD Phone
- Remote wipe the work container — Use MDM to wipe only the business data container, leaving personal data intact
- Revoke account access — Deactivate all business accounts immediately
- Remove MDM profile — Once data is confirmed wiped, remove the MDM profile from the device
- Confirm with the employee — Have the employee confirm (ideally in writing) that no business data remains on their personal device
- Document everything — Record the wipe, account revocations, and employee confirmation
Data Breach on a Mobile Phone
A data breach involving a business mobile phone is more common than you might think. The most frequent scenario is simple: a phone is lost or stolen, and the person who finds or steals it can access personal data on the device.
What Constitutes a Breach?
Under GDPR, a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” On a mobile phone, this includes:
- A lost or stolen phone that is unlocked or has a weak/guessable PIN
- Someone accessing emails, contacts, or messages without authorisation
- Malware or spyware extracting data from the device
- An employee sharing their screen while personal data is visible
- Accidental forwarding of messages or emails containing personal data
- A phone being accessed during repair or servicing
Reporting to the ICO
If a breach is likely to result in a risk to individuals’ rights and freedoms, you must report it to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it. You must also notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
How MDM Reduces Breach Severity
Having MDM with remote wipe and encryption dramatically reduces the severity of a mobile phone breach:
- Encrypted + locked device — If the phone was locked with a strong PIN and fully encrypted, the data is inaccessible. The breach severity is low, and ICO reporting may not be required.
- Remote wipe within minutes — If you can wipe the phone remotely before anyone accesses the data, the breach is contained. Document the time between loss and wipe.
- No encryption, no lock — If the phone had no PIN and no encryption, all data is immediately accessible. This is a high-severity breach that must be reported to the ICO within 72 hours.
The difference between “lost phone, no breach to report” and “lost phone, ICO investigation” often comes down to whether MDM, encryption, and screen locks were in place. The cost of MDM is negligible compared to the cost of a data breach.
10-Point GDPR Compliance Checklist for Business Mobiles
Use this checklist to assess and improve your current mobile device compliance:
- MDM deployed on all business devices — Every company-owned phone and every BYOD device accessing company data should have MDM installed and active.
- Mandatory screen locks — Minimum 6-digit PIN or biometric authentication. Auto-lock after 2 minutes of inactivity. No “swipe to unlock” without a PIN.
- Full device encryption enabled — Verify encryption is active on every device. Modern iOS devices are encrypted by default when a passcode is set. Android devices should have encryption verified via MDM.
- Remote wipe capability tested — Do not just have remote wipe configured — test it regularly. Run a test wipe on a spare device quarterly to confirm it works and measure the response time.
- Written mobile device policy — A documented policy covering acceptable use, security requirements, BYOD rules, breach reporting, and employee departure procedures. All employees must sign it.
- Employee training completed — Staff should understand their data protection responsibilities, how to report a lost device, what not to store on their phone, and how to recognise phishing attempts.
- App restrictions in place — Block installation of unapproved apps on company devices. On BYOD devices, restrict which apps can access company data through the work container.
- Data retention policy applied — Automatic deletion of emails, messages, and cached data after a defined period. Regular review and purge of contacts and files.
- Employee departure process documented — A written, step-by-step process for handling devices when employees leave, including retrieval/wipe, account revocation, and documentation.
- Breach response plan includes mobile scenarios — Your data breach response plan should specifically address mobile phone loss, theft, and unauthorised access, including who to contact, how to initiate remote wipe, and when to report to the ICO.
Common GDPR Mistakes with Business Phones
These are the most frequent compliance failures we see with business mobile phones:
Not Wiping Phones When Staff Leave
This is the number one mistake. An employee leaves the business and keeps the company phone (or the BYOD phone with company data) without any data being wiped. Months later, the phone is sold, recycled, or given to a family member — complete with customer contacts, emails, and business files. This is a clear GDPR breach.
No Screen Lock Policy
Allowing employees to use business phones without a PIN, fingerprint, or face recognition is negligent. If that phone is lost, every piece of personal data on it is immediately accessible. There is no excuse for not enforcing screen locks via MDM.
No MDM on Company Phones
Handing out company phones without MDM is like giving employees keys to the filing cabinet but no lock on the door. Without MDM, you cannot enforce security policies, you cannot remote wipe a lost device, and you cannot demonstrate compliance to the ICO.
Mixing Personal and Business Data on BYOD
Allowing employees to use personal phones for work without containerisation means personal and business data are mixed together. You cannot selectively wipe business data, you cannot control how the data is shared, and you have no visibility into whether the device is secure.
No Data Retention Policy
Keeping every email, message, and contact on a business phone indefinitely violates the storage limitation principle. If you have no automatic deletion or regular purge process, you are storing more personal data than necessary — and that data is at risk if the phone is compromised.
Ignoring App Permissions
Many apps request access to contacts, location, camera, and storage. If an employee installs a game that accesses the phone’s contact list, customer data from the business contacts could be shared with the app developer. Restricting app installations and reviewing app permissions is essential.
Frequently Asked Questions
Q: Does GDPR apply to business mobile phones?
Yes. UK GDPR applies to any device that processes personal data, and business mobile phones process personal data extensively. Contacts, emails, messages, call logs, photos, app data, calendar entries, and location data all constitute personal data under the regulation. Your business is the data controller for all personal data processed on business devices and must ensure appropriate security measures are in place at all times.
Q: Do I need MDM on all company phones?
While MDM is not a specific legal requirement named in the GDPR text, it is considered best practice and is the most practical way to demonstrate compliance with GDPR’s requirement for “appropriate technical and organisational measures.” MDM enables remote wipe, enforces encryption, mandates screen locks, controls app installations, and provides compliance reporting. The ICO expects businesses to take appropriate measures proportionate to the risk — and for any business handling customer data on mobile phones, MDM is the most straightforward and defensible approach.
Q: What should I do if a company phone is lost or stolen?
Immediately initiate a remote wipe via your MDM platform. Then assess whether personal data was likely to have been accessed. If the phone was locked with a strong PIN and encrypted, the risk is low and the breach may not need to be reported. If the phone was unlocked, had a weak PIN, or lacked encryption, you must report the breach to the ICO within 72 hours and notify affected individuals without undue delay. Document everything: the time of loss, the time the wipe was initiated, the security status of the device, and what data was on it.
Q: Can employees use personal phones for work under GDPR?
Yes, BYOD is permitted under GDPR, but it introduces significant complexity. You need a clear written BYOD policy, containerisation software to separate work and personal data (such as Microsoft Intune managed apps or Android Enterprise work profile), the ability to remotely wipe only the work container, and the employee’s informed consent for MDM on their personal device. Many businesses find that company-owned phones with full MDM control are simpler, cheaper in the long run, and far easier to manage for GDPR compliance.
Q: How do I wipe company data when an employee leaves?
For company-owned phones: retrieve the device, back up any data the business needs to retain, perform a full factory reset, revoke access to all company accounts (email, CRM, cloud storage), and document the process. For BYOD: use MDM to remotely wipe only the work container (leaving personal data intact), revoke all company account access, remove the MDM profile, and have the employee confirm in writing that no business data remains on their personal device.
Q: What counts as a data breach on a mobile phone?
Any unauthorised access to personal data stored on the phone constitutes a potential breach under GDPR. This includes: a lost or stolen phone where the finder can access data, someone accessing emails or contacts without authorisation, malware extracting data from the device, an employee accidentally sharing screen contents containing personal data, or even a phone being accessed by an unauthorised third party during repair. If personal data is or may have been compromised, it should be treated as a potential breach and assessed accordingly.
Q: How long should I keep data on business phones?
Under GDPR’s storage limitation principle, you should only keep personal data for as long as necessary for its intended purpose. There is no single prescribed retention period — it depends on the type of data and your business needs. As a general guide: set automatic email deletion after 12–24 months on the device (archive to a server if longer retention is needed), clear message histories periodically, review and purge contact lists quarterly, and delete downloaded files that are no longer needed. Document your retention periods in your data protection policy.
Q: Can I monitor employee phone usage under GDPR?
You can monitor company-owned devices, but transparency is essential. Employees must be clearly informed about what is monitored, why it is monitored, how the monitoring data is used, and who has access to it. Monitoring must be proportionate to a legitimate business purpose. You cannot covertly monitor without exceptional justification (e.g., suspected criminal activity and only after legal advice). For BYOD devices, monitoring is limited to the work container only — you have no right to monitor personal apps, messages, or browsing on an employee’s personal device.
Q: What fines can the ICO impose for mobile data breaches?
The ICO can impose fines of up to £17.5 million or 4% of annual global turnover (whichever is higher) for serious GDPR violations. In practice, fines for SMEs are typically in the thousands to tens of thousands of pounds, but the reputational damage and cost of investigation often exceed the fine itself. Demonstrating that you had appropriate measures in place (MDM, encryption, screen locks, documented policies) significantly reduces the risk and severity of any enforcement action.
Secure Your Business Mobiles
Company-owned phones with business contracts give you the control you need for GDPR compliance. We compare deals across EE, Vodafone, O2, and Three to find the right solution for your business.
Get a Free QuoteRelated Reading
- Business Mobile Security Tips
- BYOD Policy for Small Business UK
- Business Mobiles for Legal Firms
- Business Mobiles for Healthcare
- WhatsApp Business on Company Phones
- Business Mobile Contract Cancellation Guide
All prices exclude VAT. Fixed £2.50 + VAT/month annual price increase applies each April. Compare The Networks is regulated by OFCOM.