The compliance lead who tried to filter personal devices, and walked into a privacy problem

She had a clean line ready for the auditors: every endpoint that touches corporate data runs DNS filtering, every query is logged, no exceptions. So when the BYOD program landed on her desk, she pushed the same agent profile onto it. Personal phones, personal laptops, same resolver, same full query log. On hardware the employer does not own, that consistency backfires.

The security part worked fine. What she had also done was start a record of where her colleagues bank, which clinic someone looked up at 2am, which union site a warehouse worker reads on the train home. None of that is a logging policy. A data protection authority files it under workplace surveillance.

Where DNS logging meets GDPR and employee monitoring

A DNS query log becomes personal data the moment it can be tied to a person, and on a named, enrolled device it always can. GDPR then wants a lawful basis. For monitoring staff, consent rarely qualifies, because the gap in power between employer and employee makes it suspect. That leaves legitimate interest, which survives only when the processing is genuinely necessary and proportionate. Recording an employee's whole personal browsing to catch corporate malware does not clear that bar.

Local rules pile on. France's CNIL expects workers to be told about every form of monitoring through the data protection policy, and the works council consulted before anything goes live. Miss those steps and the monitoring is unlawful, however convincing the security story sounds in the boardroom.

Managed-profile scoping versus full-device filtering

The answer is not to soften the filtering. Confine it to the slice of the device the employer actually has standing to govern. iOS and Android both expose a managed work profile, a per-app VPN, and per-profile DNS configuration. Filtering and logging belong inside that boundary and stop dead at its edge.

In practice the agent enforces policy for corporate apps and the work profile, and never touches the personal partition. Ask that compliance lead now what she collects from a personal device and the honest answer is "work-profile resolution, nothing else," a sentence that holds up under questioning. "Everything the device resolves" earns a follow-up letter.

Data minimization in DNS query logs

Even inside the work profile, collect less than you technically could. Minimization is a requirement, and a few choices carry most of the weight:

The test fits on one line. If a log field would embarrass you in front of a regulator and would not help an analyst stop an attack, it should not exist.

Works councils, consent, and proportionality

Bring the works council in as a design input, not a rubber stamp at the finish. They ask the proportionality questions a DPA would: why this scope, why this retention, whether personal traffic is in play. Bring them managed-profile-only filtering and short, minimized logs and the meeting is brief. Bring full-device capture and you are bargaining down from a position the regulator already dislikes.

A BYOD posture that survives a DPA inquiry

Write the boundary down before you ship it: what gets filtered, where the agent stops seeing, what gets logged, for how long, and who was consulted. ClearScreen lets you run a dedicated managed-profile policy group for BYOD with its own categories and retention, kept apart from corporate-owned endpoints, so personal traffic never lands in the log to begin with. That separation is the difference between a control you can defend and one you have to apologize for. Scope a BYOD profile from the features page and keep personal traffic out of scope by design.