Your colleague calls on a Monday morning. She left her company laptop on the train on Friday evening. She only realized over the weekend, but figured it could wait until Monday. That laptop has client contracts in the downloads folder, an active Google Workspace session, and access to your CRM. A company device lost or stolen is more than an inconvenience – it is a data security incident waiting to happen, and the first 60 minutes of your response determine the outcome.

This guide* walks you through exactly what to do when a device goes missing, what your GDPR obligations are, and how to set up your company so a lost device never becomes a disaster. It is written specifically for growing SMBs that do not have a dedicated IT department.

Why a Lost Device Costs More Than You Think

Most people think about the replacement cost when a laptop goes missing. A new MacBook runs €1,500–€3,000. Annoying, but manageable. The real cost is somewhere else entirely.

Research from the Ponemon Institute found that the average total cost of a single lost laptop is approximately $49,000. Only 2% of that comes from replacing the hardware. The remaining 80% is driven by the data breach: forensic investigation, credential resets, legal review, regulatory notification, lost productivity, and the cost of lost intellectual property.

For SMBs, these numbers hit harder. A company with 50 employees does not have an incident response team on standby. There is no legal department to handle the GDPR notification. The person responsible for IT is usually the same person responsible for three other things. And the data shows this is not a rare event: approximately 4.3% of company-issued smartphones are lost or stolen every year.

Beyond the direct costs, there is the reputational damage. For SMBs that depend on client trust – consultancies, agencies, healthcare-adjacent companies, fintechs – a single publicized data breach can break relationships that took years to build.

The takeaway is straightforward: the response plan and the prevention setup matter far more than the device itself.

The First 60 Minutes: Your Emergency Checklist

When a company device goes missing, speed determines whether this stays a minor incident or turns into a reportable data breach. Here is the step-by-step process, in order.

Step 1: Report the loss immediately

The employee must notify IT or management the moment they realize the device is missing – even if they think it might turn up. Delayed reporting is the single biggest factor that turns lost devices into expensive breaches. If your company uses an IT support solution, a quick message or ticket is enough to trigger the response.

Step 2: Remote lock the device

Using your MDM (Mobile Device Management) platform, lock the device remotely. This prevents anyone from accessing the contents while you assess the situation. With a platform like deeploi, remote locking is available from a central dashboard and takes seconds.

Step 3: Attempt to locate the device

If location services are enabled (Find My iPhone, Find My Device for Android, or MDM-based GPS tracking), check the device's last known location. This helps you determine whether the device is likely misplaced or stolen. Do not attempt to physically recover a stolen device – that is a matter for the police.

Step 4: Revoke cloud and SaaS sessions

Log into your Google Workspace or Microsoft 365 admin console and terminate the device's active sessions. Do the same for any SaaS tools the device had access to: CRM, project management, communication platforms, file storage. If you manage software centrally, this process is faster because you know exactly which apps were installed and accessible.

Step 5: Reset passwords

Change passwords for all accounts that were accessible from the device. Start with email (the master key to most account recovery flows), then workspace accounts, then business-critical applications. If the employee reused passwords across accounts, change those too.

Step 6: Decide – remote wipe or recovery?

If the device appears to be misplaced (last seen at a known location, no signs of unauthorized access), you may choose to wait before wiping. If the device is confirmed stolen or cannot be located within a reasonable window, initiate a remote wipe to delete all company data. Note: once you wipe a device, tracking functionality usually stops working – make sure recovery is unlikely before you take this step.

Step 7: Report theft to police

If the device was stolen, file a police report. Have the device serial number and IMEI (for phones) ready. The police report is also important documentation if you later need to demonstrate due diligence for GDPR or insurance purposes.

Step 8: Document everything

Record the incident in writing: what happened, when the loss was discovered, when it was reported, what actions were taken and at what times, and what data was potentially on the device. This documentation is required under GDPR (Article 33(5)) regardless of whether the incident is reportable – and it protects your company if questions arise later.

Ready to make sure your team can respond in minutes, not days? An all-in-one IT platform like deeploi gives you remote lock, remote wipe, and full device visibility from a single dashboard – with personal expert support available in 12 minutes on average.

GDPR and a Lost Device: Do You Need To Report It?

This is the question that keeps founders and HR managers up at night after a device goes missing. The answer depends on one key variable: encryption.

Under GDPR, a lost or stolen device containing personal data can constitute a reportable data breach. Article 33 requires organizations to notify their supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms. The clock starts when your company becomes aware of the loss – not when the device was actually lost.

Here is the critical distinction:

If the device is encrypted with strong full-disk encryption, the data is unreadable to anyone without the decryption key. In this case, the European Data Protection Board (EDPB) guidance indicates that notification to the supervisory authority may not be required, because the risk to individuals is minimal. However, you must still document the incident internally (Article 33(5)).

If the device is unencrypted (or only password-protected without encryption), notification is likely required if the device contained personal data — even if that data is not particularly sensitive. Large volumes of names, email addresses, or client contact details on an unencrypted laptop can be enough to trigger the obligation.

If the data is highly sensitive (health information, financial records, government IDs), the bar is even higher. You may need to notify both the supervisory authority and the affected individuals directly.

Practical guidance for SMBs

1. Assess what data was on the device. Start with: Was personal data stored locally? Which accounts were logged in? Were files synced from cloud storage?
2. Check the encryption status. If full-disk encryption (e.g. FileVault on macOS, BitLocker on Windows) was active and the device was shut down or locked, the data is protected.
3. Consult your Data Protection Officer (DPO) or external data protection advisor. If you are unsure whether the incident is reportable, seek guidance – but do it quickly, because the 72-hour window does not pause.
4. When in doubt, notify. Failing to report a breach that should have been reported carries a penalty of up to €10 million or 2% of global annual turnover under GDPR. Over-reporting carries no penalty.
5. Document the decision. Whether you notify or not, record your reasoning and the facts it was based on. Regulators can audit these records at any time.

The single most important prevention measure? Enforce full-disk encryption on every company device from day one. This is exactly what a device management platform should handle automatically – and it is one of the core features of deeploi's cybersecurity setup.

What Every Employee Should Know: Before It Happens

The IT response is only half the equation. The other half is what the employee does in the first minutes after realizing a device is missing.

Report immediately – even if you think you will find it. Every hour of delay increases the risk. The Ponemon Institute found that when a loss is reported on the same day, the average cost stays below $9,000. When reporting takes more than a week, the cost climbs to nearly $116,000. An employee should never assume it can wait until Monday.

Never try to recover a stolen device yourself. If you suspect theft, contact your company and the police. Confronting someone who has stolen a device is a personal safety risk – and it is not your responsibility.

Know your company's reporting contact. Every employee should know exactly who to call or message when a device goes missing. This information should be part of the onboarding process and documented in an accessible place (not only on the lost device itself).

Practice basic device hygiene. Always use the lock screen with a strong passcode or biometrics. Never store passwords on sticky notes or in unprotected text files. Avoid storing sensitive files exclusively on local drives – use cloud storage so the data survives even if the device does not.

These habits are simple, but they make the difference between a lost device that is a minor operational disruption and one that triggers a full-scale data breach investigation.

How To Keep Track of All Company Devices

You cannot protect what you cannot see. When a device goes missing, the first question is always: what was on that device? If your device inventory is a spreadsheet that was last updated three months ago, you are flying blind.

Centralized IT inventory instead of spreadsheet chaos

Spreadsheets fail at device management for predictable reasons. They go stale the moment someone forgets to update them. They do not track who currently has which device, what software is installed, or whether encryption is active. They cannot alert you when a device drops off the network or misses a security update.

A proper IT inventory is a real-time dashboard that shows every device in your fleet: who it is assigned to, its operating system and patch status, installed applications, encryption status, and last check-in time. When a device goes missing, you should be able to answer in 30 seconds: "What exactly was on that machine?" – not in 30 minutes after digging through old spreadsheets and asking colleagues.

Managing Windows, Apple, and mobile devices in one system

Most SMBs run a mixed fleet: MacBooks for the design team, Windows laptops for finance, iPhones and Android phones for everyone. Managing these across separate tools – Apple Business Manager here, Intune there, a separate phone management platform on the side – creates gaps. And gaps are where devices get lost without anyone noticing.

Cross-platform MDM is the backbone of device oversight. A single platform that handles enrollment, encryption enforcement, software deployment, patch management, and policy enforcement across macOS, Windows, iOS, and Android. This is exactly what deeploi's device management provides: a centralized dashboard covering all major platforms, designed for companies without dedicated IT teams. No technical expertise required to operate. Your entire device fleet – visible, manageable, and secured from one place.

For a detailed comparison of MDM platforms, see our MDM software comparison.

How To Prevent a Lost Device From Becoming a Data Breach

The emergency checklist handles the crisis. This section ensures the crisis never escalates in the first place.

The prevention layer

Full-disk encryption on every device, enforced from day one. This is the single highest-impact security measure for lost-device scenarios. If encryption is active and the device is locked, the data is unreadable – which means no GDPR notification, no data breach, and no panic. Encryption should not depend on individual employees remembering to enable it. It should be enforced automatically through your device management platform.

Cloud-first data storage. If critical business data lives exclusively on a laptop's local drive, a lost device means lost data. When files, documents, and project data are stored in Google Workspace, Microsoft 365, or another cloud platform, the data survives even if the hardware does not. The lost device becomes a hardware problem, not a data problem.

Endpoint protection with active threat detection. A lost device can become a vector for attacks on your broader infrastructure if someone gains access and attempts to connect to company systems. Endpoint protection (deeploi integrates SentinelOne for this) monitors for suspicious activity and blocks threats before they spread. Combined with automated backup through Acronis, your data has an additional safety net.

Security policies enforced automatically. Password requirements, screen lock timeouts, access controls, and software update policies should not be suggestions. They should be enforced across every device in your fleet, with no manual configuration required. This is a core function of any serious MDM and device management setup.

Clear processes for the full device lifecycle

The other half of prevention is process. Devices go missing most often at two points: when they are first issued (no one records the serial number or assignment) and when an employee leaves (the device sits in a drawer and is forgotten).

Onboarding: When a new employee starts, their device should be configured, assigned, and tracked automatically. With deeploi's zero-touch provisioning, devices are shipped preconfigured directly to the employee – office or home – ready to use on first startup. The device is registered in the inventory the moment it is provisioned. No manual tracking required.

Offboarding: When an employee leaves, every account, license, and device access should be revoked systematically. With deeploi, offboarding workflows can be triggered automatically: workspace accounts downgraded, SaaS access revoked, email forwarding activated, data transferred to a successor, and the device remotely locked for return. This eliminates the scenario where a former employee still has an active company laptop six months after leaving.

Replacement provisioning: If a device is confirmed lost or stolen and cannot be recovered, the employee needs a new one – fast. Traditional setup takes hours or days. With zero-touch provisioning through deeploi, a replacement device can be configured and shipped to the employee. Onboarding a replacement takes 3–5 minutes instead of 2–3 hours. The employee is back to work with minimal downtime.

For a deeper dive into IT security for SMBs, including encryption, endpoint protection, and compliance, see our dedicated guide.

Your IT should protect you automatically – not depend on someone remembering to update a spreadsheet. deeploi combines device management, cybersecurity, automated onboarding and offboarding, and personal expert support in one platform. No IT expertise required.

Lost Device Response Checklist

Use this as a quick-reference when an incident happens.

FAQ

Can I track a stolen company laptop?

Yes, if location services or MDM-based tracking were enabled before the device was stolen. Apple's Find My, Google's Find My Device, and most MDM platforms (including deeploi) can show the device's last known location. However, if the thief wipes or powers off the device, tracking may stop. Always report the theft to police rather than attempting to recover the device yourself.

Is a lost company device automatically a GDPR breach?

Not necessarily. A lost device becomes a reportable breach under GDPR when it contains personal data and that data is at risk of unauthorized access. If the device is encrypted with strong full-disk encryption and was locked at the time of loss, the data is protected and notification may not be required. However, every incident must be documented internally regardless – GDPR Article 33(5) requires this. Check the encryption status and consult your DPO to assess whether notification is needed.

How fast can a replacement device be set up?

It depends on your IT setup. Traditional manual provisioning (installing applications, configuring accounts, applying security settings) takes 2–3 hours per device. With zero-touch provisioning through a platform like deeploi, a replacement device arrives preconfigured and ready to use on first startup – the setup takes 3–5 minutes. This is especially important after a device loss, where minimizing employee downtime is critical.

What about BYOD – what if an employee loses a personal phone with company data?

BYOD (Bring Your Own Device) scenarios are more complex because the company does not have full control over the device. Best practice: use an MDM solution that creates a separate work profile on personal devices. This allows the company to wipe the work profile remotely without affecting personal data. If no MDM is in place and the personal device had access to company email, cloud storage, or SaaS tools, you should immediately revoke those sessions and reset the employee's passwords.

What is the difference between remote lock and remote wipe?

A remote lock prevents anyone from accessing the device by activating the lock screen with a passcode, PIN, or biometric requirement. The data stays on the device, and the device can still be tracked. A remote wipe deletes all data from the device, restoring it to factory settings. Use remote lock first (to protect the data while you assess the situation), and escalate to remote wipe if recovery is unlikely and you need to ensure data cannot be accessed. After a remote wipe, most tracking features stop working.

How does modern IT asset management work for small businesses?

IT asset management (ITAM) means maintaining a real-time record of all hardware and software in your company: which devices exist, who they are assigned to, what is installed, and whether they are compliant with your security policies. For SMBs with 20–200 employees, a dedicated ITAM tool is often overkill. An all-in-one IT platform like deeploi handles asset management as part of its device management dashboard – giving you full inventory visibility without needing a separate tool or a dedicated IT team.

Conclusion

A lost company device does not have to become a data breach. With the right response in the first 60 minutes and the right prevention setup in place, it stays exactly what it is: a lost device. If your current IT setup does not give you the tools to respond fast – remote lock, remote wipe, encryption enforcement, and full device visibility – it is time to fix that before the next incident happens.

‍

*This article provides general guidance for SMBs dealing with lost or stolen devices. It is not a substitute for professional IT security or legal advice. For company-specific incident response plans, consult a qualified IT security specialist or data protection advisor.