Enterprise Mobility Management
According to article 7 of the Federal Act on Data Protection (FADP) and articles 8 to 12 of the Ordinance to the Federal Act on Data Protection (OFADP), the processing of personal data, such as the personnel’s personal data, must be adequately protected particularly through adequate Technical and Organisational Measures (TOMs; cf. article 7 of the of the draft to the FADP dated 15 September 2017, and in addition article 32 of the General Data Protection Regulation (Directive 95/46/EC)).
TOMs have to be adapted to the specific case and to the expected risks in connection with the use of particular devices, applications and technologies. In this context, companies must give special attention to the business use of mobile devices, as smartphones, tablets, or laptops. Namely, if the employees (are allowed to) use such devices not only for business but also privately and, therefore, there is a risk of mixing the personnel’s business and private data. Such mixing of business and private data could pose legal issues, particularly in case of remote deletion of data when a device is lost or stolen or in order to abide by obligations to preserve records, if e.g. private data is also deleted or stored together with business data.
Consequently, depending on whether the company follows a “Bring Your Own Device” (BYOD), “Choose Your Own Device” (CYOD) or “Corporate-Owned, Personally Enabled” (COPE) strategy concerning mobile devices, different legal implications arise concerning integration, administration and security. Depending on the company’s size, it is therefore advisable to address and minimise the risks as a whole through device, application, user and data management. For that purpose so-called Enterprise Mobility Management (EMM) or increasingly so in the future Unified Endpoint Management (UEM) solutions are used. Of course, when selecting and configuring such solutions the company must always comply with all legal data protection requirements, especially, when cloud-based technologies, through which transborder data flows may take place, are to be used. Nevertheless, an EMM or UEM solution should make a significant contribution towards establishing a strict separation between business and private data on mobile devices.