I'm aware that some apps collect data from other apps and often these data are private data. These data can and will be stored "somewhere" in the world - and eventually sold or exchanged with even more "data collectors" for all kind of purposes (marketing, crime, fraud and hacking). As you (acc. GDPR) have to describe how your protect private data from being distributed - outside your company, you will need a secure setup on your mobile devices.
On a private smart phone (BYOD) or corporate phones with private user profiles, users are making private backups of smart phones - with all smart phone data. When an employee ends his career at a company, these data will still be available on the private backup- and can be restored into a new smart phone.
How do you avoid these situations?
With BYOD devices (Bring Your Own Device), the challenges are even more complex. Often the users do not want two smart phones to handle and often they like to use their private smart phones for work.
To me the solution is quite simple. Use corporate smart phones and allow private data outside a corporate container on the smart phone with business apps only..... BUT that's (with my experience) not how the companies / organizations are handling the smart phones challenges.
What's your experience ?
I think the answer is, can be, to store sensitive data in encrypted containers on the mobile devices. Also make sure to manage, limit, the communication to and from other apps and functionality on the devices through policy's. And make sure the devices adhere to certain compliancy rules such as the minimum level of operating system, rooted or not, password complexity. Also, through policy's it possible to maybe not disable backup, but make the restore inaccessible and thereby useless.
The answer absolutelly can be. MDM only protect the right device to access the right data or the right apps, but not secure the data. To secure data we can implementation solution file encryption, DLP, and CASB. For ptotect GDPR or other compliant certification. Sample total solution from microsoft is Microsoft Information Protection (MIP) can be combine with microsoft intune (MDM) will be full protected.