[zaroth]

I’m pretty sure GDPR protection of “personal data” applies to employees and not just customers.

If my personal calendar and work emails are being copied onto your device, you better believe the GDPR data protection regulations apply.

The house example is ridiculous. The point is if you commingle the data in ways such that the endpoint protection software no longer supports delineating the corporate data, then the user (employee/contractor) has opted into that situation with eyes wide open.

> Computing devices need to be protected from loss or theft through mobile device management capabilities, such as remote wipe and kill. A lost device could be the weak link in the data protection chain, leading to a data breach based on information stored on the device or accessible through still active user credentials. Enforcing certain settings in order for a device to connect to the network at all – such as local encryption, password complexity, the presence and currency of security software, and the removal of the local administrator account – will be an essential part of protecting the organization within the GDPR framework.

[1] - https://www.actiance.com/wp-content/uploads/2017/03/WP-GDPR-...

[chipotle_coyote]

The house example is exaggerated, but as I wrote in another reply: just as my personal physical property does not become company property if I am on their physical property, my personal data should not become company data if I am on their network.

> If you commingle the data in ways such that the endpoint protection software no longer supports delineating the corporate data, then the user (employee/contractor) has opted into that situation with eyes wide open.

You're assuming the user has been given a clear understanding of the situation, and frankly, I think you're letting the IT department off the hook here. They need to either provide protection that can prevent "commingling" to their satisfaction, to grant a comparable level of trust to users with personal devices that they do in other aspects of conducting business (which was the real point of the example you didn't like), or just to ban personal devices.

[zaroth]

> They need to either provide protection that can prevent "commingling" to their satisfaction, to grant a comparable level of trust to users with personal devices that they do in other aspects of conducting business (which was the real point of the example you didn't like), or just to ban personal devices.

DLP (data loss prevention) software should be present on any personal computing device that can store company data, which will be a requirement of their cyber-security insurance policy, a requirement of the various audits they surely undergo, and probably also a requirement of GDPR.

It's providing strictly more choice and flexibility to their employees and contractors to allow them to host company data on their personal device, the obvious trade-off being made when you install the DLP endpoint software on your phone and grant it permission to remote-wipe your device if necessary.

If the company required their employees/contractors to use their personal device for company business, this would be an entirely different discussion. In California, the employer is required to reimburse employees for using their personally owned device for company business - i.e. required to pay for the cost of a phone and the service plan.

Employees choose not to buy a second phone and get paid for their service plan on their personal phone for convenience, and to save themselves the cost of a personal plan. Some choices are not strictly good, but include pros and cons which are individual's responsibility to weigh.

I think it's a safe assumption that anyone choosing to install the DLP agent on their personal phone, particularly at a company like Google, does so fully informed of the responsibilities that come with that decision.