
We used to argue about whether staff should be allowed to use their own phones. The argument has moved on. Most owners have not.
The question on the table now is not ‘should staff use their own phones?’. It is ‘if a device went missing tonight, would you know, and could you wipe it?’. Most owners cannot answer either with confidence. That is the gap this blog is about.
A recruitment consultant gets off the late train. Their laptop is in the bag they left on the seat. By the time the bag reaches lost property, one of two things is true.
In the first version, the laptop is encrypted, has a PIN, and can be remotely wiped from a web console. Whoever finds the bag has a paperweight. The owner gets a message confirming the wipe is queued. Insurance opens Monday. Nothing goes to the regulator because the data is not readable.
In the second version, none of that is true. The laptop has a four-digit Windows PIN, no encryption, three years of cached candidate emails, and eighteen CVs and a salary spreadsheet sitting in the Downloads folder. It is now a regulator-relevant event, the company is the data controller, and the next 72 hours involve a lot of phone calls.
The interesting bit is not which version is more dramatic. It is that they cost roughly the same to set up in advance. The difference is whether anyone got round to it.
UK GDPR puts the liability on the employer, not the device. Whose phone it is does not change whose fine it is.
The cleanest precedent is still the Ealing and Hounslow Council case. Two unencrypted laptops carrying records of around 1,700 vulnerable people were stolen from a worker’s home. Both councils had encryption policies in writing. Neither had encryption configured on the actual device. Fifteen years on, the takeaway is the same. The staff handbook is not the thing that protects you. The configuration on the laptop is.
For a recruitment business carrying CVs, right-to-work documents, salary history and sometimes medical disclosure on every laptop, this is the regulatory failure mode that comes up first when an officer asks what controls you had in place. ‘We have a policy’ does not, on its own, satisfy the question. ‘We set the rule centrally and the dashboard shows every device green’ does. Per head of staff, recruiters carry more sensitive personal data than most SMEs the same size.
The old BYOD argument was a binary. Either the company hands out work phones to everyone, which costs real money and creates real friction, or staff use their own phones with no controls and the company carries the risk.
App protection policies give you a third option. The company does not enrol the phone, does not own it, does not see the personal apps. It only manages the work apps inside that device.
What you can enforce inside that fence: a separate PIN to open the work apps, a block on copy and paste between work apps and personal apps so a consultant cannot paste candidate data out of Outlook into WhatsApp, a block on screenshots inside the work chat app, and a selective wipe of the work data when an employee leaves or the phone goes missing, with personal photos untouched.
The combination of ‘we let staff use their own phones’ and ‘we have no app-level controls’ is the failure mode. The fix is not a corporate phone policy. It is the boring bit of configuration nobody got round to doing.
Most founders think they are paying for IT support. Most are paying for repair.
The difference shows up at the moment the laptop goes missing, not before. A break-fix arrangement is reactive by design. Something breaks, you call, an engineer attends, an invoice is generated. Nothing about that model has anything to say about whether your devices were encrypted at 19:48 last Tuesday. By the time the engineer is involved, the laptop is already gone.
Managed services, done properly, is a different posture. The provider is responsible for the configuration that prevents the bad version of the train scene. The work that does not generate an invoice is the work that decides what happens when a device disappears.
Three things, in order –
