Help Guide for Protecting Customer Data on Laptops and Mobiles

The Mobile Data Risk

Your office might have locked doors and alarm systems. But the laptop in your bag has:

- Customer contact details

- Email history (often containing sensitive information)

- Financial data (invoices, quotes, bank details)

- Contracts and legal documents

- Login credentials (saved passwords, session tokens)

If that laptop is lost or stolen without proper protection, you've got a data breach—with GDPR reporting obligations, potential fines, and reputational damage.

Mobile phones are even higher risk—easier to lose, frequently left in taxis or pubs, yet often containing work email and documents.

The Three Essentials

Every business device needs these three protections as a minimum:

1. Full-Disk Encryption

Encryption scrambles all data on the device. Without the password/key, a stolen device is useless to a thief—they can't access your data.

2. Strong Authentication

PIN, password, fingerprint, or face recognition prevents casual access. Without it, anyone who picks up the device can see everything.

3. Remote Wipe Capability

If a device is lost or stolen, you need to be able to wipe it remotely—erasing data before someone accesses it.

Let's implement each properly.

Full-Disk Encryption

Windows: BitLocker

BitLocker is built into Windows Pro, Enterprise, and Education editions.

**Check if enabled**:

1. **Control Panel** → **System and Security** → **BitLocker Drive Encryption**

2. Should show "BitLocker on" for your main drive

**Enable if not**:

1. Same location, click "Turn on BitLocker"

2. Choose how to unlock: Password and/or TPM (hardware chip)

3. **Critical**: Save the recovery key somewhere safe (not on the same device)

4. Encrypt entire drive

5. Choose encryption mode (usually "New encryption mode" for internal drives)

6. Start encryption (can take hours, don't interrupt)

**Recovery key storage**:

- Save to Microsoft account (convenient, tied to your account)

- Save to file (put on USB drive, store securely)

- Print (store in safe)

- Save to Azure AD (if using Microsoft 365 Business Premium)

**Enforce via Intune** (Microsoft 365 Business Premium):

Create a device configuration profile that requires BitLocker—devices encrypt automatically.

Windows Home Edition

BitLocker isn't available in Windows Home. Options:

- **Upgrade to Pro** (around £100)

- **Device Encryption** (available if device meets requirements, Settings → Privacy & Security → Device Encryption)

- **Third-party**: VeraCrypt (free, more complex)

macOS: FileVault

FileVault is Apple's full-disk encryption, built into macOS.

**Check if enabled**:

1. **System Preferences** → **Privacy & Security** → **FileVault**

2. Should show "FileVault is turned on"

**Enable if not**:

1. Click "Turn On FileVault"

2. Choose recovery method:

- iCloud account (convenient, requires Apple ID)

- Recovery key (write down, store securely)

3. Restart to begin encryption

**Enforce via MDM**: Jamf, Kandji, or other Mac MDM can enforce FileVault.

Mobile Devices

**iPhone/iPad**: Encrypted by default when a passcode is set. No action needed beyond setting a passcode.

**Android**: Most modern Android devices encrypt by default. Verify: **Settings** → **Security** → **Encryption**.

Strong Authentication

Laptops

**Minimum requirements**:

- Password at least 8 characters (12+ is better)

- Automatic lock after 5-15 minutes of inactivity

- Password required on wake from sleep

**Better**: Windows Hello (fingerprint or face recognition) or macOS Touch ID/Face ID.

**Set auto-lock (Windows)**:

**Settings** → **Accounts** → **Sign-in options** → **Require sign-in**: When PC wakes from sleep

**Set auto-lock (macOS)**:

**System Preferences** → **Lock Screen** → Set "Turn display off" and "Require password immediately after sleep"

Mobile Devices

**Minimum requirements**:

- 6-digit PIN (not 4-digit)

- Or alphanumeric password

- Auto-lock after 1-5 minutes

- Biometric (fingerprint/face) recommended

**Configure (iPhone)**:

**Settings** → **Face ID & Passcode** (or Touch ID & Passcode)

- Set passcode

- Enable biometric

- Set auto-lock: **Settings** → **Display & Brightness** → **Auto-Lock**

**Configure (Android)**:

**Settings** → **Security** → **Screen lock**

- Set PIN or password

- Enable fingerprint if available

- Set auto-lock timeout

What Not to Use

- 4-digit PINs (too easy to guess)

- Pattern locks (often guessable from screen smudges)

- Simple passwords ("password", company name + year)

- No authentication at all

Remote Wipe Capability

For Windows/Mac: Microsoft Intune

If you have Microsoft 365 Business Premium, Intune provides remote wipe:

1. Enroll devices in Intune (Settings → Accounts → Access work or school → Connect)

2. When device is lost: Intune admin centre → Devices → Find device → Wipe or Retire

**Wipe**: Complete factory reset

**Retire**: Removes company data, leaves personal data (for BYOD)

For Mac: Find My Mac

Apple's built-in feature:

1. Enable: **System Preferences** → **Apple ID** → **iCloud** → **Find My Mac**: On

2. When lost: Go to icloud.com/find, sign in, select device, click "Erase Mac"

For iPhone/iPad: Find My iPhone

1. Enable: **Settings** → [Your name] → **Find My** → **Find My iPhone**: On

2. When lost: Go to icloud.com/find, select device, click "Erase iPhone"

For Android: Google Find My Device

1. Enable: **Settings** → **Security** → **Find My Device**: On

2. When lost: Go to google.com/android/find, select device, click "Erase device"

Important: Encryption + Remote Wipe

Remote wipe only works when the device is online. If a thief turns off the device or removes the SIM, wipe won't happen. **Encryption protects data even when wipe fails**. Both are essential.

BYOD (Personal Devices)

Staff using personal phones for work email is common but creates risks. Options:

Option 1: App Protection Only

Protect work data within apps without managing the whole device:

- **Microsoft Intune App Protection**: Requires PIN to open Outlook/Teams, prevents copy to personal apps, can wipe only work data

- **Google Advanced Protection**: For Google Workspace

**Pros**: Staff privacy preserved, less intrusive

**Cons**: Less control, relies on app-level protection

Option 2: Full Device Enrollment

Staff consent to device management:

- Full security policies apply

- Full wipe capability

- More control

**Pros**: Maximum security

**Cons**: Staff may resist, privacy concerns

Option 3: No Personal Devices

Provide company devices only:

- Complete control

- Clear separation

- More expensive

**Recommended approach for small business**: App protection policies for personal phones, full management for company-owned laptops.

GDPR Considerations

Under UK GDPR, you must:

Implement Appropriate Security

Article 32 requires "appropriate technical and organisational measures" to protect personal data. Encryption and access controls are explicitly mentioned as appropriate measures.

Report Breaches

If a device containing personal data is lost or stolen:

- Assess if data was accessible (unencrypted = likely breach)

- If high risk to individuals, notify ICO within 72 hours

- If very high risk, notify affected individuals

**With encryption**: If device was fully encrypted with strong password, data is likely protected—risk is lower, may not require ICO notification (but document your assessment).

**Without encryption**: Assume data is compromised—likely reportable breach.

Maintain Records

Keep records of:

- Security measures in place

- Device encryption status

- Incident response actions

Creating a Device Security Policy

Document your requirements:

> **[Company Name] Mobile Device Security Policy**

>

> **Scope**: All laptops and mobile devices used for company business

>

> **Encryption**:

> - Company laptops: BitLocker/FileVault required, recovery keys stored [location]

> - Mobile devices: Built-in encryption enabled, passcode required

>

> **Authentication**:

> - Minimum 8-character password (12+ recommended)

> - Auto-lock after [5] minutes

> - Biometric recommended where available

>

> **Remote Wipe**:

> - All devices registered with [Intune/Find My/MDM]

> - Lost/stolen devices reported immediately to [person/email]

>

> **Personal Devices (BYOD)**:

> - Must accept app protection policies

> - Work email requires [Outlook app / specific app]

> - Right to wipe work data if device lost or employment ends

>

> **Lost/Stolen Procedure**:

> 1. Report immediately to [contact]

> 2. Remote wipe initiated

> 3. Passwords changed for affected accounts

> 4. Breach assessment conducted

Authority Resources

- **ICO Security Guidance**: [ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/) - GDPR security requirements

- **NCSC Mobile Device Guidance**: [ncsc.gov.uk/collection/mobile-device-guidance](https://www.ncsc.gov.uk/collection/mobile-device-guidance) - Securing mobile devices

- **NCSC BYOD Guidance**: [ncsc.gov.uk/collection/device-security-guidance/bring-your-own-device](https://www.ncsc.gov.uk/collection/device-security-guidance/bring-your-own-device)

- **ICO Personal Data Breach Reporting**: [ico.org.uk/for-organisations/report-a-breach](https://ico.org.uk/for-organisations/report-a-breach/) - When and how to report breaches

Your Device Protection Checklist

**For Each Laptop**

- [ ] Full-disk encryption enabled (BitLocker/FileVault)

- [ ] Recovery key stored securely (not on the device)

- [ ] Strong password/PIN required

- [ ] Auto-lock configured (5-15 minutes)

- [ ] Remote wipe capability enabled

- [ ] Registered in device inventory

**For Each Mobile Device**

- [ ] Encryption enabled (usually default with passcode)

- [ ] 6-digit PIN or stronger

- [ ] Biometric enabled (fingerprint/face)

- [ ] Auto-lock configured (1-5 minutes)

- [ ] Find My / Find My Device enabled

- [ ] App protection policy applied (if BYOD)

**Documentation**

- [ ] Device security policy written

- [ ] Lost/stolen device procedure documented

- [ ] Staff trained on requirements

- [ ] Device inventory maintained

Getting Started This Week

**Day 1**: Audit encryption status on all company laptops

**Day 2**: Enable BitLocker/FileVault on any unencrypted devices

**Day 3**: Enable remote wipe capability (Intune, Find My, etc.)

**Day 4**: Review mobile device policies (BYOD or company-only)

**Day 5**: Document policy and lost device procedure

Protecting data on mobile devices isn't optional—it's a GDPR requirement and a business necessity. The good news: the tools are built into your devices. You just need to enable them.