Digital Transformation

Data protection at stake when companies implement BYOD

Staff may be able to leave employment still holding on to sensitive data.

Companies that implement a bring your own device (BYOD) policy in their workplace might have to review their security measures and make sure they have disaster recovery plans in place in case of a data breach or hack.

Graeme Batsman, director of, noted that BYOD has existed for a number of years but has only recently become a recognised concept and problem.

While firms could save money by not paying to pay for office USB drives and hard drives, they should also be aware of the security risks of allowing employees to work with their own equipment.

"By [allowing] staff to freely use their own devices, a ‘£5 data breach’ can happen. Forget spending tens of thousands of pounds on advanced firewalls and antivirus, data breaches usually happen due to the people element," he warned.

BYOD also opens up "a whole can of worms" with regards compliance and technical issues.

"If a company supplies staff with USB drives, then it has the right to enforce full drive encryption. If a staff member brings their own, then it’s not the company’s property, nor is the data," Mr Batsman noted.

He pointed out that compliance is a particular problem from a data protection point of view, because companies that allow BYOD no longer have control of data or keep audit records.

"A staff member who leaves may not remove the data and if it is lost one year down the line, it will sting the company after the employment period. Sensitive data is no longer within four walls or within a certain country."

Meanwhile, a Scottish council has been fined £140,000 for breaching data protection laws after it released details of vulnerable people to the wrong individuals.

Midlothian council was found by the Information Commissioneris Office to have broken the law five times by sending reports about children to incorrect addresses and agencies.