GDPR regulation applies to any organisation that processes personal data of individuals, whatever the size of the business. That includes customer and employee information.

Measures around protecting personal information are generally legal requirements and not complying with GDPR can lead to penalties around data mishandling. Measures around data security are an element of the GDPR and are also best practice for the protection of your organisation, employees, and supply chain. Encryption, firewalls and access controls ensure you can operate securely and maintain trust with your clients and other contacts. Even paper records should be kept secure. 

UK legal requirements around data security are mostly governed by the Data Protection Act 2018, which incorporates the GDPR. Others include the Computer Misuse Act 1990 and Fraud Act 2006. There are various criminal offences relating to data security in the UK which can apply to organisations, including:

• unlawful processing of personal data (including failing to obtain the necessary consent) 
• failure to notify a data breach 
• failure to protect data (typically inadequate security measures leading to a data breach) 
• disclosing personal data without consent (especially for financial gain or other improper purposes) 
• offences around unauthorised access to information, cyberattacks, and fraud 

Answer ‘yes’ if you can state that you have considered the principles of keeping data secure at your organisation, you have a policy that your organisation actively uses, and you could demonstrate this.

Data security measures typically include: 

• Encryption 
• Access controls 
• Firewalls 
• Audits 
• Training 
• Incident Response Plans 

Lack of data security measures can expose organisations to risks like: 

• Unauthorised people getting access to your customer information, financial records, or Intellectual Property. 
• Loss of trust from customers, and negative publicity or reputation damage 
• Fines and penalties for breaching regulations, or failing audits, and legal costs 
• Cyber attacks crashing systems or causing other business interruption and downtime 
• Cyber attacks tricking employees into revealing sensitive information 
• Identity theft 
• Ransomware attacks (encrypting your data and demanding payment for its release) 
• Putting your supply chain at risk 
• Loss of competitive advantage from leaking of information 

You could use this checklist as a simple way of creating a policy if you don’t have one already. This is based on a ‘Cyber Action Plan’ produced by the UK National Cyber Security Centre; a simple survey which gives tips on increasing your data security. 

• Work email and social media passwords are different from all other passwords 
• Strong passwords are used for work email 
• 2 step verification is enabled for important work accounts  
• Backups are made to important work data  
• Know how to access important information from your backup quickly 
• Security features are enabled for all main work devices (e.g. screen autolock; PIN; passcode; findmydevice) 
• Computer firewalls are turned on and antivirus enabled 
• Latest updates are promptly installed on work devices 
• New apps and software are only installed after checking the source 
• Staff are aware of and trained in these measures

Organisations of this size would usually have a formal written Data Security Policy, including measures around: 

• Security in place (encryption, system security, access controls, firewalls etc) 
• Audits 
• Training  
• Incident response plans  

Organisations are likely to have a person dedicated to managing the organisation’s cyber security and responsible for their data security policy.  

You could use the following resources to help create a policy if you don’t have one already.

• ’10 Steps to Cyber Security’ from the National Cyber Security Centre is advice aimed at medium to large organisations that have someone dedicated to managing the organisation’s cyber security. 
• Cyber Assessment Framework from the National Cyber Security Centre 
• Other links from the NCSC’s Cyber security guidance for business 

Answer ‘yes’ if you can state that you have thought about the principles of legally handling personal information in your organisation, you have a policy that your organisation actively uses, and you could demonstrate this. 

As a small business, you’ll generally handle a far smaller volume of data than a large business. Even though the volume may be less, you still need to have the necessary procedures in place to be able to protect individuals’ data and to deal with their requests, as per the requirements of UK GDPR. 

Personal information you hold is most likely to be records of customers, staff, prospective customers (leads) and suppliers. 

You could use this checklist to think about considerations around personal data protection, based on official guidance from government , the Information Commissioners Office (ICO) and the Federation for Small Businesses (FSB).  

• Personal information is kept secure (see data security above) 
• Personal information is kept accurate and up to date 
• Personal information is only kept for as long as you need it and then shredded or deleted 
• If and when someone’s personal data is collected, they are informed (e.g. via a privacy notice): 
  • who you are and how you’ll use their information, including if it’s being shared with other organisations 
  • that they have the right to: 
    • request any information you hold about them and correct it if it’s wrong 
    • request their data is deleted 
    • request their data is not used for certain purposes 
• If you have staff, that guidance around staff recruitment, staff records, and monitoring staff at work, is followed  
• If you use CCTV, that guidance is followed 
• Generally, organisations need to keep the Information Commissioner’s Office informed about how they use personal information, and pay a fee. Check here whether this applies to you. 

Organisations of this size generally have a policy relating to Data Protection and related privacy notices. 

 They are likely to have a person dedicated to managing the organisation’s data protection compliance and responsible for their data-related policies. A policy should entail measures around the Data Protection principles . These cover the following general areas: 

• Data Protection Rights: Ensuring individuals’ rights regarding their personal data, such as the right to access, correct, delete, and transfer their data. 
• Lawful Processing: Processing personal data only when there is a valid legal basis, such as consent, contract necessity, or legitimate interest. 
• Transparency: Clearly informing individuals about how their data is collected, used, and shared, typically through a privacy policy. 
• Data Minimization: Collecting only the data that is necessary for a specific purpose and not retaining it longer than needed. 
• Security Measures: Implementing appropriate technical and organizational measures to protect personal data from breaches and unauthorized access. 
• Data Protection Impact Assessments (DPIAs): Conducting assessments to identify and mitigate risks associated with data processing activities. 
• Notification of Breaches: Informing authorities and affected individuals promptly in case of a data breach. 

The Information Commissioner’s Office provides further guidance.   

The Data Protection Act 2018 and UK GDPR apply to any organisation that processes personal data of individuals, whatever the size of the business. That includes customer and employee information.  

For example, it will apply when you: 

• Collect personal information from clients, customers, or suppliers (e.g., names, addresses, email addresses, phone numbers, or payment details). 
• Process any personal data electronically (e.g., on a computer, smartphone, or online platform), or on paper. 
• Store personal information, either digitally or in physical form. 

You are likely to do these if you: 

• keep customers’ addresses on file 
• recruit staff 
• manage staff records, record staff working hours 
• market your products or services 
• use CCTV 
• give delivery information to a delivery company 
• Use email to email individuals  

Individuals whose personal data you hold (data subjects) have certain rights in relation to their data.  

• The right to be informed 
• The right of access 
• The right to rectification 
• The right to erasure 
• The right to restrict processing 
• The right to data portability 
• The right to object 
• Rights in relation to automated decision-making and profiling