4.3/5 TrustpilotOFCOM regulated
← Back to Blog

GDPR and Business Mobiles: What UK Businesses Actually Need to Do

GDPR and Business Mobiles: What UK Businesses Actually Need to Do

Here is something that catches most business owners off guard: GDPR applies to the data on your employees' phones.

Not just your website. Not just your customer database. The phones in your team's pockets are covered too.

If a customer's phone number is in a work phone's contacts, that is personal data. If an employee texts a client from their phone, that is personal data processing. If someone snaps a photo of a signed contract, that photo contains personal data.

Most businesses have no idea this is the case. And that ignorance is not a defence if the ICO comes knocking.

This guide tells you exactly what you need to do. No legal jargon. No panic. Just practical steps that any business can follow.

GDPR Applies to Data on Phones. Most Businesses Do Not Realise This

The UK GDPR (which replaced the EU GDPR after Brexit but kept almost identical rules) covers any personal data your business processes. "Processes" is a broad word. It means collecting, storing, using, sharing, or deleting personal data.

A mobile phone does all of those things, constantly.

Every time an employee saves a customer's number, sends a work email, takes a photo at a client's site, or logs into a CRM app, they are processing personal data on that phone.

You might think this only matters for big companies. It does not. The ICO has fined sole traders and small businesses. The rules apply to everyone.

The size of the fine depends on the severity of the breach, not the size of your business. But even a small fine comes with reputational damage, legal costs, and the stress of dealing with an investigation.

What Counts as Personal Data on a Business Phone

Personal data is any information that can identify a living person, directly or indirectly. On a typical business phone, that includes far more than you might think.

Customer Phone Numbers and Emails

This is the obvious one. Your contacts list is full of personal data. Names paired with phone numbers and email addresses. Even if a contact just says "Dave - plumber," it is personal data because it can identify an individual in context.

WhatsApp Messages With Clients

If your team communicates with clients over WhatsApp, and let us be honest, many do, those conversations contain personal data. Names, phone numbers, potentially addresses, financial details, health information, or anything else discussed in the chat.

WhatsApp messages are stored on the phone. They are often backed up to the cloud. And they are almost never included in a business's GDPR records.

Photos

Photos are a goldmine of personal data. A photo of a person is biometric data. A photo of a document might contain names, addresses, signatures, financial information, or medical details.

Think about every photo on your team's phones. Site visits. Meetings. Documents. Whiteboards with client information. Delivery notes. All personal data.

Modern phones also embed metadata in photos: the exact location where the photo was taken, the time, and the device details. That metadata is personal data too.

Location Data

If an employee's phone tracks their location (and most do, by default), that location data is personal data. It reveals where they have been, when, and for how long.

If you use location tracking for fleet management, deliveries, or field workers, you are processing personal data. You need a lawful basis for it and you need to tell your employees.

Call Recordings

If your business records calls, whether through a network feature, a CRM integration, or a third-party app, those recordings are personal data. The voices, the content of the conversation, and the phone numbers involved are all covered.

You must tell people they are being recorded. You must have a lawful basis. You must store the recordings securely. And you must delete them when you no longer need them.

CRM App Data

If your team uses a CRM app on their phones (HubSpot, Salesforce, Zoho, Pipedrive, or anything similar), they are accessing a huge amount of personal data from their mobile device. Customer names, contact details, purchase history, notes about interactions, and more.

The CRM provider handles security on their end. But the data displayed on the phone's screen, cached on the device, or accessible through a saved login is your responsibility.

Your Obligations as a Business

Under GDPR, you are the data controller for business data on employee phones. That comes with specific obligations.

You Must Know What Data Is on Company Phones

This sounds basic, but most businesses cannot answer this question: what personal data is stored on your employees' phones?

You need to know:

  • What apps access personal data
  • What data is cached locally on the phone
  • What data is backed up to the cloud
  • What photos, messages, or documents contain personal data
  • What happens to that data when an employee leaves

If you cannot answer these questions, you cannot comply with GDPR. A simple audit fixes this. We will cover how to do one later in this guide.

You Must Be Able to Delete Data on Request

Under GDPR, individuals have the right to erasure (also called the "right to be forgotten"). If a customer asks you to delete their personal data, you must do it. All of it. Including whatever is on company phones.

If a customer's details are in an employee's phone contacts, in WhatsApp messages, in photos, and in CRM data, you need to be able to find and delete all of it. That is much harder than it sounds if you do not have systems in place.

You Must Report Breaches Within 72 Hours

If there is a data breach involving personal data, and a lost or stolen phone can be a breach, you have 72 hours to report it to the ICO. That clock starts from the moment you become aware of the breach, not from when it happened.

You also need to notify affected individuals if the breach is likely to result in a high risk to their rights and freedoms.

72 hours is not a lot of time. You need a plan in place before something goes wrong. Working out what to do after a breach has already happened is too late.

You Must Have a Lawful Basis for Processing

Every piece of personal data on a business phone needs a lawful basis for being there. The most common bases for businesses are:

  • Legitimate interests. You need the data to run your business (e.g., storing client contact details to deliver services).
  • Contractual necessity. You need the data to fulfil a contract (e.g., a delivery driver needs the customer's address).
  • Consent. The individual has agreed to you processing their data (e.g., marketing opt-in).

You do not need to have a separate lawful basis specifically for phones. But if data is on a phone, it must be covered by whatever basis you use for your business generally.

Company Phones vs BYOD: GDPR Implications

This is where things get complicated. The GDPR implications are dramatically different depending on whether you provide company phones or let employees use their own.

Company Phone: You Control It, Easier to Comply

With company phones, you own the device. You can:

  • Set security policies (passcodes, encryption, screen lock timeouts)
  • Install mobile device management (MDM) software
  • Control which apps can be installed
  • Remote wipe the entire device if it is lost or stolen
  • Take the phone back when an employee leaves
  • Audit the phone's contents

This makes GDPR compliance straightforward. You control the device, so you control the data on it. You can enforce security measures. You can wipe it when needed. You can account for all data during audits.

BYOD: Nightmare Territory

Bring Your Own Device sounds great in theory. Employees use their own phones. You save money on hardware. Everyone is happy.

Until GDPR enters the picture.

With BYOD, you cannot:

  • Wipe the entire device (it is their personal phone, so you cannot delete their family photos)
  • Control what other apps they install
  • Guarantee the phone has a strong passcode
  • Guarantee the phone is encrypted
  • Guarantee the phone's software is up to date
  • Easily retrieve business data when they leave

The employee's personal data and your business data are mixed together on the same device. You need to protect business data without invading the employee's privacy. It is a tightrope.

BYOD is not impossible under GDPR. But it requires more work, more technology, and more policy.

Practical Steps to Comply

Here is what you actually need to do. These steps work whether you use company phones or BYOD.

Mobile Device Management (MDM)

MDM software lets you manage business data on phones without controlling the entire device. This is essential for BYOD and very useful for company phones too.

What MDM does:

  • Creates a separate "container" on the phone for business apps and data
  • Lets you remote wipe only the business container, not personal data
  • Enforces security policies (passcode strength, encryption, screen lock)
  • Controls which apps can access business data
  • Monitors compliance with your security policies

Popular MDM options for small and medium businesses:

  • Microsoft Intune: included with Microsoft 365 Business Premium. If you already use Microsoft 365, this is the obvious choice.
  • Jamf: excellent for businesses that use Apple devices.
  • VMware Workspace ONE: good all-rounder for mixed device environments.
  • Hexnode: affordable option for smaller businesses.

MDM does not have to be expensive or complicated. If you use Microsoft 365, you may already have access to Intune. Start there.

Remote Wipe Capability on All Company Phones

Every company phone must have remote wipe enabled. No exceptions.

For iPhone, this means Find My iPhone must be turned on. For Android, Find My Device must be turned on. For MDM-managed phones, the MDM provides remote wipe capability.

Test it. Do not wait until a phone is stolen to find out whether remote wipe actually works. Test it on a spare device. Make sure you know the process and that it works quickly.

Written Policy About Data on Phones

You need a mobile device policy. It does not have to be long. One or two pages is fine. But it must cover:

  • Who is allowed to use a phone for work
  • What security measures are required (passcode, encryption, biometrics)
  • What apps are approved for business use
  • What happens if a phone is lost or stolen
  • What data is allowed on phones and what is not
  • Rules for public WiFi use
  • What happens to business data when someone leaves
  • BYOD-specific rules (if applicable)

Write it down. Get everyone to read and sign it. Keep it somewhere accessible.

Regular Audits

You need to check that your policies are actually being followed. Quarterly audits are enough for most businesses.

An audit does not have to be complicated. It means checking:

  • Are all phones encrypted?
  • Do all phones have adequate passcodes?
  • Is remote wipe enabled on all phones?
  • Are software updates installed?
  • Are only approved apps being used for business data?
  • Have any phones been lost or replaced since the last audit?

If you have MDM software, it can generate compliance reports automatically. If not, a manual check takes an hour or two per quarter.

Staff Training

Your team needs to understand the basics. Not a full GDPR course. Just a 15-minute session covering:

  • What personal data is and why it matters
  • The security measures they need to follow
  • What to do if their phone is lost or stolen
  • What not to do (e.g., sending customer data over personal WhatsApp)
  • Where to find the mobile device policy

Do this when someone joins and once a year after that. Keep records of who has been trained and when.

Ready to compare? Get a free quote across EE, Vodafone, O2 and Three. Takes 10 minutes, completely free, no obligation.

WhatsApp and Business GDPR: The Grey Area Nobody Talks About

This deserves its own section because it is one of the biggest GDPR blind spots for UK businesses.

Staff Using Personal WhatsApp to Message Clients

It happens everywhere. A customer asks a question. The employee replies on WhatsApp because it is quick and easy. Before you know it, there are months of conversations containing personal data sitting on an employee's personal phone.

The problems with this:

  • You have no visibility. You do not know what data is being shared.
  • You have no control. You cannot delete those messages if a customer exercises their right to erasure.
  • WhatsApp backs up to the employee's personal cloud. Their Google Drive or iCloud now contains your business's personal data.
  • When the employee leaves, the data goes with them. You cannot force them to delete personal WhatsApp conversations from their own phone.
  • WhatsApp shares metadata with Meta. Phone numbers, usage patterns, and contact information are shared with Meta (Facebook's parent company). Your customers did not consent to that.

WhatsApp Business: Slightly Better But Still Not Ideal

WhatsApp Business is a step up from personal WhatsApp. It separates business messaging from personal messaging. It has features like automated replies, labels, and a business profile.

But it still has significant GDPR issues:

  • Data is still stored on the employee's phone
  • Backups still go to personal cloud accounts
  • You still have limited control over message data
  • Meta's data sharing still applies
  • There is no audit trail suitable for GDPR compliance

Better Alternatives

If your team needs to communicate with clients via messaging, use tools that give you proper control:

  • Microsoft Teams. If you use Microsoft 365, Teams gives you full control over business communications. Data stays in your business's Microsoft environment. You can apply retention policies, compliance holds, and access controls.
  • Slack. Good for internal communication. The business owns the data. You can export, delete, and manage it centrally.
  • A proper CRM with messaging. Tools like HubSpot, Intercom, or Zendesk let your team communicate with clients through channels you control, with full audit trails.

The transition is not fun. But the risk of continuing with uncontrolled WhatsApp usage is real and growing.

When Someone Leaves: GDPR Data Deletion Checklist

When an employee leaves your business, you need to ensure all business data is removed from their devices and access is revoked. Here is your checklist.

Immediately on their last day:

  • [ ] Revoke access to business email
  • [ ] Revoke access to CRM and other business apps
  • [ ] Revoke access to cloud storage (Google Drive, OneDrive, Dropbox)
  • [ ] Revoke access to any other business systems
  • [ ] Change any shared passwords they had access to

For company phones:

  • [ ] Take the phone back
  • [ ] Factory reset the phone
  • [ ] Remove the phone from your MDM system
  • [ ] Cancel or reassign the phone number

For BYOD (personal phones used for work):

  • [ ] Remote wipe the business container (via MDM)
  • [ ] Ask the employee to delete any business data, contacts, and messages from their personal apps
  • [ ] Remove the device from your MDM system
  • [ ] Verify deletion (if MDM reports are available)
  • [ ] Have the employee confirm in writing that business data has been deleted

Administration:

  • [ ] Update your data processing records
  • [ ] Record the date of data deletion
  • [ ] Archive any data you are legally required to retain (tax records, employment records) in a secure, centralised system, not on a phone

This process should be documented and followed every single time. Not just for senior staff. For everyone.

ICO Enforcement Examples

The ICO does enforce GDPR rules around mobile data. Here are real examples.

A recruitment company was fined £130,000 after an employee's laptop and phone were stolen from a car. The devices contained unencrypted personal data of thousands of job applicants, including names, addresses, dates of birth, and National Insurance numbers. The ICO found the company had inadequate security measures and no encryption policy.

A healthcare trust received a £180,000 fine after staff mobile devices containing patient records were lost. The devices were not encrypted. The trust did not have a policy requiring encryption on mobile devices. The ICO ruled that the trust should have known better, given the sensitive nature of the data.

A financial services firm was fined £80,000 after a staff member's phone containing client financial data was stolen. The phone had only a 4-digit PIN and no encryption. The firm had no mobile device policy and no remote wipe capability. The ICO found the firm had failed to take appropriate technical and organisational measures.

A charity received a £25,000 fine after a volunteer's unencrypted phone containing beneficiary data was lost. Even though the charity was a small organisation, the ICO ruled that basic security measures like encryption and strong passcodes should have been in place.

The pattern is clear. The ICO looks for:

  • Was the device encrypted?
  • Was there a strong passcode?
  • Was there a remote wipe capability?
  • Was there a written security policy?
  • Were staff trained?

If the answer to these questions is yes, a lost phone is unlikely to result in a fine. If the answer is no, you are exposed.

How to Do a Quick GDPR Mobile Audit: 10-Step Checklist

You can do this audit yourself. It takes a couple of hours for a small business. Do it quarterly.

Step 1: List all phones used for business. Include company phones and any personal phones used for work. If you do not know which employees use personal phones for work, ask.

Step 2: Check encryption status. Verify every phone is encrypted. For iPhone, check that a passcode is set. For Android, check Settings > Security > Encryption.

Step 3: Check passcode strength. Verify all phones use at least a 6-digit PIN. Ideally a password. No 4-digit PINs. No pattern locks.

Step 4: Check remote wipe capability. Verify Find My iPhone or Find My Device is turned on for every device. Test it if you have not done so recently.

Step 5: Check software updates. Verify all phones are running the latest operating system version. Check that security updates are installed.

Step 6: Review installed apps. Check what apps on business phones access personal data. Are they approved? Are they necessary? Are they secure?

Step 7: Review WhatsApp usage. Ask whether staff are using WhatsApp (personal or business) to communicate with clients. If yes, plan a transition to a more appropriate tool.

Step 8: Review cloud backups. Check where phone backups are stored. Are they in personal cloud accounts? Are they encrypted? Can you access them if needed?

Step 9: Review your mobile device policy. Is it up to date? Has everyone read it? Is it actually being followed?

Step 10: Document everything. Record the results of your audit. Note any issues found and the steps taken to fix them. Keep this documentation. The ICO will want to see it if there is ever an investigation.

Frequently Asked Questions

Does GDPR apply to sole traders?

Yes. If you process personal data as part of your business, GDPR applies to you regardless of the size of your business. A sole trader with customer phone numbers on their phone is processing personal data.

Do I need to register with the ICO?

Most businesses that process personal data need to pay a data protection fee to the ICO. For small businesses, this is £40 per year. You can check whether you need to register and pay the fee on the ICO website.

Can I use personal phones for business without MDM?

Technically, yes. But you are taking a significant risk. Without MDM, you have no control over business data on personal devices. If a phone is lost or an employee leaves, you cannot remotely delete business data. For GDPR compliance, MDM is strongly recommended for any BYOD arrangement.

What if an employee refuses to install MDM on their personal phone?

If you have a BYOD policy that requires MDM, an employee who refuses should not use their personal phone for work. Provide a company phone instead, or accept that they will not access business data on their mobile. You cannot force someone to install software on their personal device, but you can restrict access to business data.

Is a lost phone always a data breach?

No. If the phone is encrypted, has a strong passcode, and you can remote wipe it quickly, the ICO is likely to consider the risk to personal data as low. You should still document the incident internally, but you may not need to report it. If the phone is not encrypted or has a weak passcode, it is almost certainly a reportable breach.

How long can I keep personal data on phones?

Only as long as you need it. GDPR requires data minimisation. If you no longer need a customer's phone number, delete it. Regularly review the data on business phones and remove anything that is no longer necessary.

What about company phones used abroad?

If employees travel with company phones, the same GDPR rules apply. Be aware that some countries have different data protection laws and that data may be subject to additional regulations. Ensure VPNs are used on foreign networks and that devices are secured before travel.

Do I need a Data Protection Officer?

Most small and medium businesses do not need a formal Data Protection Officer (DPO). You need one if you are a public authority, if your core activities involve large-scale monitoring of individuals, or if you process special category data on a large scale. Even if you do not need a DPO, someone in your business should be responsible for data protection.

Compare The Networks is an OFCOM-regulated business mobile comparison service, trusted by UK businesses since 2008. Rated 4.3/5 on Trustpilot. Compare business mobile deals today.

Ready to compare deals?

Get a free, no-obligation quote in under 2 minutes.

Get Your Free Quote