Can my employer access my personal data if an MDM manages my smartphone?
Many employees do not trust their company’s MDM solution because they are concerned about the privacy of their data and control of their personal devices.
Protecting company data is more important than ever, and that protection starts with the devices that use and store that data. Regardless of the device and its owner, it is increasingly difficult to ensure the security of corporate data as the hybrid world of work takes hold. As flexibility becomes more prevalent in our workforce, the range of devices used is changing and now more than ever we are seeing more and more people doing some of their work from a mobile phone.
Mobile device management solutions allow IT teams and administrators to control and distribute security policies to mobile devices accessing sensitive corporate data, ensuring the security of the corporate network.
While this phenomenon is not new, the challenges it poses are greater than ever. While the work phone once reigned supreme, the increased use of BYOD (Bring-Your-Own-Device) has led to a backlash against traditional MDM (Mobile Device Management), with many employees unwilling to enroll their personal device in such a solution.
This is exactly why trust plays an important role in this respect, both from the employee’s and the employer’s perspective. Many employees do not trust their company’s MDM solution because they are concerned about the privacy and control of their personal devices. From the employer’s perspective, there must be a level of control over organisational data, regardless of the device. This raises the question of whether the company should block access to unregistered BYOD devices. If an organisation decides to allow personal mobile devices, how can it protect the data that might be on them?
What rights does my employer have?
Your employer is allowed to monitor its employees during their working hours or at their place of work. For example, he has a right of access to business papers (even in closed drawers), and also to computer equipment used in the course of work. On the other hand, there are restrictions set out to protect the right to privacy: the installation of surveillance cameras without informing employees, telephone tapping without the knowledge of employees, etc., and the monitoring of everything that belongs to the employee’s private sphere.
Can my employer use an MDM to manage my personal device?
Unlike company-owned mobile devices, which are fully managed remotely by the IT administrator who can see their geographical location, access their web browsing history, and restrict the allowed applications; personal BYOD devices do not offer the same possibilities at all.
Enabling a work profile allows companies to manage work data and applications, but leaves everything else on the mobile device under the user’s control. Administrators can securely manage the business side, but have no control over personal applications and data: they cannot see, access or delete anything personal.
Importantly, the administrator cannot install the MDM on your phone by himself, as it is up to you to download the MDM application from your Play Store. Even once the MDM is installed, you can deactivate/pause business applications with one click, thus respecting the right to disconnect from work. Furthermore, at any time, you can go to the device settings and delete the work profile: all business data and business apps in the container will be deleted from the phone or tablet.
What about the GDPR?
Since in BYOD it is only possible to protect sensitive data (management of passwords for access to the work profile, deletion of professional data in case of loss/theft), and to remotely push the resources necessary for the smooth running of the missions (installation of business applications, synchronisation of professional contacts), the only personal data processed are:
- Name, first name and email address (if entered by the administrator)
- The serial number of the device and its IMEI
- The list of business applications installed in the work profile only
- The list of business contacts added by the IT administrator to the device’s business directory
- A list of business files pushed by the IT administrator to the device’s work profile
If the chosen MDM solution is based (and stores its data) in Europe, and has a clear and well-defined GDPR policy, you have no worries about access to your personal data, which is perfectly well protected.