Small Business Saturday Blog

Top 10 security tips for small businesses storing personal data

Thursday, December 12, 2019 at 00:30

As Small Business Saturday puts small businesses and enterprises in the spotlight, it’s an ideal opportunity to shine a light on some of the ICO’s guidance to help make sure you are handling personal data safely and securely.
In celebration of Small Business Saturday 2019, the ICO launched a new SME website hub, developed to make it easy for sole traders, small businesses and SMEs to find the essential guidance they need to understand their GDPR obligations.
Almost every small business handles personal information and your customers share data online every time they visit your website, search for or buy something, or send you an email.
This information belongs to them. You should only use it in ways they would reasonably expect and it should be kept safe.
Since the advent of the General Data Protection Regulation (GDPR), which is the new data protection law that came into force last year, more people are aware of their privacy rights in relation to personal data and how it’s being used and looked after.
Good information handling makes good business sense. When personal information is accurate, relevant and safe it can save you time and money which, in turn, builds trust and confidence with your customers and staff.
The key to achieving this is making sure the personal data you hold is secure. We’ve set out our top 10 tips for businesses that store personal information on a network:
1. Know your data – start with an inventory – understand what personal data you have, make sure you know where it is, how it is stored and who has access to it.
2. Make sure you have a data security policy – or ensure your existing data security policies and procedures are up to date and reflect the needs of your business.
3. Train your staff – put your policies and procedures into action. One of the main causes of data breaches is human error. Make sure you provide regular and adequate training for your staff.
4. Change default passwords – any new devices you buy come with default passwords, which are well-known by attackers. Using your own passwords and limiting the number of failed login attempts can deter attacks on your systems.
5. Limit access - each user must have, and use, their own username and password. Their account should have permissions appropriate to the job they are carrying out at the time. Access should be cancelled immediately if a staff member leaves the organisation or is absent for long periods.
6. Secure your wi-fi - allowing untrusted devices to connect to your network or using work devices on untrusted networks outside your office can put personal data at risk.
7. Install a firewall – if you store personal data on a network your first line of defence should be a well‐configured firewall. It can stop breaches happening before they get deep into your network.
8. Update your malware protection - you should have up‐to‐date anti‐virus or anti‐malware products regularly scanning your network to prevent or detect threats.
9. Regularly back-up your data - back‐ups should not be permanently visible to the rest of the network and at least one of your back‐ups should be off‐site. Don’t leave back-up drives unattended and lock them away when not in use. If you store data in the cloud, make sure you know what data is there.
10. Think about encryption - ensure that personal data can only be accessed by authorised users by encrypting it.
What to do when there’s a personal data breach:
A personal data breach is broadly a security incident that has affected the confidentiality, integrity or availability of personal data.
If your business experiences a breach, your first priority should be to mitigate any risks to those affected, for example by resetting passwords.
If the breach is likely to be a high risk to people, you need to quickly notify those affected and advise how they can protect themselves.
You must also let us know within 72 hours of becoming aware of it. We will take details and advise you of any further steps you can take to mitigate the risks and prevent similar breaches in the future.
If you think the breach is unlikely to pose a risk to people, you don’t need to report it to us, but you must still document the details and your rationale for not reporting.
If you want to report a breach, or you’re unsure about any aspect of managing a breach, you can ring our helpline on 0303 123 1113.
We also have a self-assessment form you can use when deciding whether to report a breach to us.
There is much more information on reporting personal data breaches on our website. We have also created a webinar which you can watch.
Our resources
There is a wealth of guidance and resources on our website for small businesses.
If you are unsure if you need to follow data protection law you might want take our short quiz first.
You will also find a self-assessment checklist which you can use to improve your understanding of data protection. It will also suggest some practical actions you can take to make sure you are keeping people’s personal data secure.
By meeting your obligations, you'll enhance your business's reputation and increase customer and employee confidence. It shows you mean business.
Faye Spencer is Head of Customer Contact, Information Commissioner’s Office (ICO).


Latest Posts: