[zaroth]

How else could corporate IT possibly do it?

A contractor can deduct work expenses from income, a phone is just one item on a long list of things that will be deducted.

If there is corporate information on a device, it would be a breach of their fiduciary responsibility not to manage that device and have the ability to remotely wipe that data.

[chipotle_coyote]

> If there is corporate information on a device, it would be a breach of their fiduciary responsibility not to manage that device and have the ability to remotely wipe that data.

I don't think, in a legal sense, that's true. It feels like it comes from the same mindset that corporations have a "fiduciary responsibility" to their shareholders to always put profits above all else; in fact, there's nothing in corporate law or financial regulations that requires that at all.

The IT department has responsibility for network and systems policies and company-owned equipment, and it's perfectly reasonable for them to have the ability to wipe data on that equipment or set policies that disallow personal devices on company networks at all. But they have no requirement -- and I would argue no business -- to wipe a non-company device just because someone added a corporate email account to it.

Does that make it marginally more likely that someone could keep corporate email that they weren't supposed to? Sure. But there are other legal ways of handling that which aren't destructive to non-company property. No one would argue that a policy of "if you take physical work home, upon termination the company can set fire to your house to ensure all copies are destroyed" is enforceable.

[zaroth]

I’m pretty sure GDPR protection of “personal data” applies to employees and not just customers.

If my personal calendar and work emails are being copied onto your device, you better believe the GDPR data protection regulations apply.

The house example is ridiculous. The point is if you commingle the data in ways such that the endpoint protection software no longer supports delineating the corporate data, then the user (employee/contractor) has opted into that situation with eyes wide open.

> Computing devices need to be protected from loss or theft through mobile device management capabilities, such as remote wipe and kill. A lost device could be the weak link in the data protection chain, leading to a data breach based on information stored on the device or accessible through still active user credentials. Enforcing certain settings in order for a device to connect to the network at all – such as local encryption, password complexity, the presence and currency of security software, and the removal of the local administrator account – will be an essential part of protecting the organization within the GDPR framework.

[1] - https://www.actiance.com/wp-content/uploads/2017/03/WP-GDPR-...

[chipotle_coyote]

The house example is exaggerated, but as I wrote in another reply: just as my personal physical property does not become company property if I am on their physical property, my personal data should not become company data if I am on their network.

> If you commingle the data in ways such that the endpoint protection software no longer supports delineating the corporate data, then the user (employee/contractor) has opted into that situation with eyes wide open.

You're assuming the user has been given a clear understanding of the situation, and frankly, I think you're letting the IT department off the hook here. They need to either provide protection that can prevent "commingling" to their satisfaction, to grant a comparable level of trust to users with personal devices that they do in other aspects of conducting business (which was the real point of the example you didn't like), or just to ban personal devices.

[zaroth]

> They need to either provide protection that can prevent "commingling" to their satisfaction, to grant a comparable level of trust to users with personal devices that they do in other aspects of conducting business (which was the real point of the example you didn't like), or just to ban personal devices.

DLP (data loss prevention) software should be present on any personal computing device that can store company data, which will be a requirement of their cyber-security insurance policy, a requirement of the various audits they surely undergo, and probably also a requirement of GDPR.

It's providing strictly more choice and flexibility to their employees and contractors to allow them to host company data on their personal device, the obvious trade-off being made when you install the DLP endpoint software on your phone and grant it permission to remote-wipe your device if necessary.

If the company required their employees/contractors to use their personal device for company business, this would be an entirely different discussion. In California, the employer is required to reimburse employees for using their personally owned device for company business - i.e. required to pay for the cost of a phone and the service plan.

Employees choose not to buy a second phone and get paid for their service plan on their personal phone for convenience, and to save themselves the cost of a personal plan. Some choices are not strictly good, but include pros and cons which are individual's responsibility to weigh.

I think it's a safe assumption that anyone choosing to install the DLP agent on their personal phone, particularly at a company like Google, does so fully informed of the responsibilities that come with that decision.

[mcguire]

"But they have no requirement -- and I would argue no business -- to wipe a non-company device just because someone added a corporate email account to it."

Personal devices are excellent attack vectors if allowed on the internal network unmanaged. The alternative is not accessing internal resources, email, etc., unless the employee is given a company-owned device.

[chipotle_coyote]

I'd genuinely argue that if the company's worried about that, they should either (a) to disallow personal devices on the internal network, period, or (b) find a management solution that does not involve putting data they do not manage at risk. Just as my personal physical property does not become company property if I am on their physical property, my personal data should not become company data if I am on their network. I understand that segregating data that way may be a hard IT problem, but if they can't do it, the solution should not be "welp, we control your data now."