GDPR and End-Point Security, what you need to know
The General Data Protection Regulation has been in force since May 2018, and it is no longer the new arrival that had organisations scrambling. It is settled law, and the supervisory authorities have spent the years since building a detailed body of enforcement around it. For anyone responsible for mobile security, the practical question has moved on. It is no longer “are we ready for GDPR.” It is whether your security architecture still passes the tests the regulators now apply, and whether it holds up against the newer rules arriving alongside it.
GDPR still reaches further than many assume. It applies to customer data, but it also governs the personal data of employees who are EU citizens. A reliable rule of thumb remains: if the customer, the employee or the business sits within the EU, GDPR applies. What has changed is the surrounding landscape. The EU AI Act is now in its rollout phase, and individual member states have used their powers under GDPR Article 88 to set their own, often stricter, national rules on workplace monitoring. The result is a more demanding environment, not a simpler one.
Endpoint security remains a critical part of any organisation’s information security stack. Anti-malware tools, secure web gateways and endpoint management systems all work to ensure desktops, laptops and mobile devices are not compromised. But these systems involve, to a greater or lesser extent, the monitoring of employees’ private data and internet activity. That tension is sharpest on smartphones and tablets, which are routinely used for both personal and business purposes.
So how do we reconcile comprehensive protection of company and customer data with the privacy rights of employees?
The proportionality test still decides it
GDPR allows employee monitoring, but it sets conditions on how far that monitoring can go and how the resulting data is handled. The key principle is proportionality. The security benefit must clearly outweigh the reduction in employee privacy. If a measure cannot be shown to deliver a real security gain, it cannot lawfully be deployed. This applies across desktops, laptops and mobile devices.
This does not stop businesses from monitoring device usage. If a proposed measure passes the proportionality test, the organisation is entitled to monitor and to maintain a safe working environment. Where the monitoring is systematic, the organisation will usually need to complete a Data Protection Impact Assessment to confirm it has sufficient grounds. This is assessed case by case, so the answer can vary by industry and by the type of organisation involved.
One point has hardened since 2018, and it matters. Employers used to lean on employee consent as a basis for monitoring. Regulators now treat consent as rarely valid in the employment context, because the imbalance of power between employer and employee means an employee cannot freely refuse. For workplace monitoring, the defensible basis is legitimate interest under Article 6(1)(f), supported by a documented assessment covering purpose, necessity and proportionality. Consent on its own will not carry the weight.
Why businesses monitor mobile devices
Monitoring employee devices helps detect and prevent the loss of personal data, the loss or theft of intellectual and physical property, and supports the security of company systems. These are recognised as valid reasons. But the test does not end there. Where two measures deliver the same or similar result, the least invasive one must be chosen. This subsidiarity requirement is now central to how authorities such as the French CNIL and the Dutch supervisory authority assess monitoring tools, and several have ruled continuous or highly intrusive monitoring disproportionate as a general rule. Failure to comply with GDPR can still result in penalties of up to 4% of annual global revenue.
The national-rules trap
A single “EU approach” no longer describes reality. Member states have set materially different requirements. Germany requires works council approval before monitoring tools can be deployed, and applies a strict proportionality test under the Federal Data Protection Act. France prohibits permanent, continuous monitoring unless justified by a specific risk, and the CNIL has effectively ruled out keylogging for general productivity purposes. The Netherlands treats keystroke logging, screenshot capture and activity trackers as disproportionate as a rule, unless there is a documented, concrete security risk. For a business operating across several member states, the safe approach is to default to the strictest applicable rule and relax only where local law clearly allows.
The new layer: AI in the security and monitoring stack
The EU AI Act adds a second axis of regulation that did not exist when this article was first written. Where GDPR governs how personal data is processed, the AI Act governs how the AI system itself behaves: whether it is transparent, whether a human can oversee it, and whether its outputs are accurate and fair. The two apply in parallel, and compliance with one does not satisfy the other.
This matters for security teams because employment and worker management is one of the high-risk categories under the Act. AI systems used to evaluate, score or make decisions about workers fall into scope. The headline obligations for these high-risk systems were originally set to apply from August 2026, though a provisional agreement reached in May 2026 would defer them to December 2027. That deferral has not yet been formally adopted, so the sensible course is to keep preparing rather than plan around an extension that is not yet law. Separately, the Act’s transparency obligations, which include telling people when they are interacting with an AI system, largely remain on the earlier track.
The practical takeaway is the same one that has held since 2018, now with sharper teeth. The less personal data a security tool collects, and the less it makes automated judgements about individual employees, the smaller its regulatory footprint under both GDPR and the AI Act. Architecture is the lever.
We explored this shift in our webinar, Mobile Device Security Re-imagined for the AI Era, looking at what changes for mobile security as AI moves into both the threat landscape and the defensive stack. The recording is available to watch on demand.
GDPR and endpoint security
GDPR also affects how companies secure corporate-owned mobile devices. Businesses running Enterprise Mobility Management systems and other mobile security products may have to adapt their chosen solutions to stay in line. A record should be kept of how and when an employee gives consent where consent is the basis relied on, and the organisation needs to record where employee data came from and any parties it was shared with. An information audit supports the transparency and accountability the regulation expects, and helps if unauthorised access to employee data ever occurs.
Mobile security solutions should, in fact, help businesses move towards their compliance objectives. In the event of a data breach, a mobile security solution can provide a clear log of the events leading up to it, drawn from pre-agreed access to corporate-owned devices, so the administrator can see which devices and apps accessed which business services. With that in place, the data protection officer can make a better-informed decision on next steps.
Mobile security solutions can also help separate personal and business data. The device controller should not be able to reach an employee’s personal apps, email and the like. This minimises the invasiveness of the security solution, increases the organisation’s security, and indirectly supports employee morale and productivity. Our blog post on mobile content filtering covers why a well-judged filter can lead to a better, more productive working environment.
Why Corrata does not require change
Corrata is GDPR-compliant by design. Existing and future clients have nothing to worry about, because the Corrata app does all of its processing on the device, reaching out to the Corrata Cloud only for threat intelligence and configuration. This minimises invasiveness and removes the need for the organisation to log device usage. By minimising data collection, Corrata minimises privacy concerns and keeps users safe from both cyber threats and compliance exposure.
This advantage is sharpest on personal and BYOD devices, where regulators across the EU now apply a very high proportionality bar and generally treat the monitoring of private devices as off limits. By contrast, mobile security providers using the traditional VPN gateway or proxy approach must route and inspect employees’ internet usage for their controls to work. Corrata is different. Employee internet activity does not need to be viewed by any system outside the device. Corrata is just as effective at protecting the device from web-based threats, but every device with the app installed simply has a filter, not a supervisor. If a device tries to connect to a malicious host, the app blocks access. That access attempt can be reported to the security team, because it is a matter of legitimate interest and passes the proportionality test. The employee’s general private activity stays private.
Conclusion
GDPR forced changes to endpoint security, particularly for mobile devices, and the obligations to protect personal data and detect when it has been compromised have only grown more important. The EU AI Act now adds a second set of expectations on top. Solutions whose architecture depends on continuous external monitoring of device activity sit awkwardly against both. When we founded Corrata in 2016, it was with exactly this challenge in mind: to deliver best-in-class mobile security without compromising employee privacy. We believe our solution answers that challenge today. The job for every security architect is the same one, now with more regulation behind it: strike the right balance between employee privacy and effective information security.
To find out more about Corrata’s solutions, get in touch, and for more industry news, insight and analysis, follow us on LinkedIn.
