Managing Data Security

data protection for small business
This easy guide to data protection for small business in the UK will give you all the information you need to make sure you’re up to date with legal requirements.

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

You’ve probably heard of terms such as GDPR, and you’re most likely wondering how you should be managing data security.

You could be given a heavy fine or made to pay compensation if you misuse personal data or don’t comply with regulations on data protection for small business.

Read-on for everything you need to know. 

In this guide to managing data security…

As a business owner, whether you have staff or you’re a sole-trader, you’re responsible for managing data security for anyone who comes into contact with your business. This includes customers, account holders, suppliers and staff.

What is personal data?

  • Phone numbers
  • Email addresses
  • Home or business address 
  • Date of birth 
  • Financial information, such as bank details 
  • Health records 
  • CCTV footage
  • Delivery information
  • Staff working hours
managing data security
What is personal data?

Managing data security principles

The UK GDPR sets out 7 principles on data protection for small business:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

You can read more about GDPR and these principles here.

Golden rules: Data protection for small business

  1. Holding personal data should be fair and lawful. You should only use this data in ways the person would reasonably expect.

    EG: They have provided you with their email address in order to receive a booking confirmation. 

  2. Explain to people why you hold their data, what you plan to do with it, whether it will be shared with other organisations and why, and how long you’ll store the data before disposing of it.

  3. This is information should be in a document – known as a privacy policy – which should describe your approach to data protection. 

  4. You must also make people aware that they have the right to see the information you hold about them and correct it if it’s wrong; request their data is deleted; request their data is not used for certain purposes (such as email marketing).

  5. You have to have a privacy notice (described above) before you collect any information from anyone.

Data protection security

data protection measures
Image: Kaspersky

Some of the basics for ensuring you maintain good cyber security when it comes to data, includes ensuring all your computers and devices have an antivirus software installed, and you store data securely, possibly by using a CRM system.

This could be ensuring that all computers are password protected and have antivirus installed, or filing cabinets are locked. The security measures are your choice, but they must be suitable for the sensitivity of the data you hold. 

For example, health and financial records would require a higher level of security. 

What you have to do: 5 Steps

Here’s the 5 things you need to do to make sure you’re managing data security and complying with regulations on data protection for small business:

  1. Make a list of all the personal data your business holds or is likely to come into contact with 

  2. Create a privacy policy and make sure you get the persons permission before collecting data (discussed above)

  3. Make sure the data you hold is secure (as discussed above)

  4. Tell the Information Commissioner’s Office (ICO) how your business uses personal information

  5. Respond to a data protection request, if someone asks to see what information you have about them

Responding to a data protection request

You could receive a fine if you don’t respond to the request or provide the information requested!

According to guidance set-out by the UK Government, if someone asks to see the data (information) your business holds on them, this is what you have to do. You must respond to their request within one month, and provide the information free of charge.

Before you respond with the information requested, you must check the identity of the person making the request and remove any data which does not relate to them. You must provide confirmation that you are processing their personal data, a copy of the data, details of how the data is collected, used and disposed of

You must respond to them in writing or by email if they have submitted the request via email and have agreed to receive correspondence by email. Your response should be clear, easy to read and understand.

Recruitment and managing staff records

You must keep any data you collect on staff secure – lock paper records in filing cabinets or set passwords for computer records, for example. Only keep the information for as long as you have a clear business need for it, and dispose of it securely afterwards – by shredding, for example.

A low cost HR software is a great way to keep staff and applicant details stored safely.

Any data you collect on staff or applicants must be kept secure. Lock paper records in filing cabinets or use a secure cloud storage system for digital documents. You should only keep the information for as long as you have a clear business need for it, and make sure you dispose of it securely afterwards.

Your staff have the right to ask for a copy of the information you hold on them. This includes information about grievance and disciplinary issues. If a staff makes a request to see this data, you must respond to their request within 30 days.

Recruitment records

You must give your business name and contact details (or those of the recruitment agency) on job adverts. You should only collect the information you need on digital or written application forms.

Don’t ask for irrelevant information. You should securely dispose of data you no longer require.

Create a privacy policy

As discussed earlier, to make sure you are managing data security properly, when processing personal data, you must inform people what you are doing with it. This needs to be in a document called a privacy policy or privacy notice.

You can make this available on your website or as a paper copy.

Here’s a free privacy policy template you can download from the Information Commissioners Office. For more information or advice on data protection for small business contact the Information Commissioner’s Office (ICO).

Did this guide to managing data security help you? If so please recommend DigitalSupermarket.

Compare CRM Systems

More To Explore

Reviews Review

This SMTP review will help you deecide if thie email marketing platform is best for your business.


Campaigner Review

This review will help you decide if Campaigner is the best choice of marketing automation platform for your business.