The ICO exists to empower you through information.

This simple guide has been written to help small organisations improve the security of their data and keep it from getting lost, damaged or stolen.

The 72 hours following a personal data breach are particularly critical. If you’re dealing with one right now, follow our simple guide on how to respond to a personal data breach.

It might not be possible to prevent every personal data breach, but you can minimise the risk significantly by making sure you and your staff handle people’s personal data with care. You have to do this by law, but it also makes good business sense because a personal data breach can be costly to put right.

We’re here to help. Here are 12 simple steps that you can start implementing today to minimise the risk of personal data breaches happening at your small organisation.

1. Store personal data securely

You have to keep personal data safe and make sure no one has access to it without your authorisation. Some simple security measures could include storing paperwork in a locked cabinet and putting strong passwords on all your devices. If you’ve got sensitive personal information, you must take extra steps to protect it from getting lost, damaged or stolen. You also must make sure no-one accesses or alters it without permission.

The ICO works with the National Cyber Security Centre (NCSC) to help organisations protect personal data against cyber threats. Read their guide on actions to take when the cyber threat is heightened.

2. Have a clear desk policy

Staff shouldn’t store paperwork on their desk or in their workspace, including folders, cards, and post-it notes. Make a policy about this to help minimise the risk of sensitive information being left unattended. 

3. Have a remote working policy

Staff should understand how they should handle personal data if they work off-site. If you use mobile devices, put technical measures in place to secure them, such as two-factor authentication. If staff use their own devices, have a security policy in place.

4. Keep your address book up-to-date

Ask your customers, clients or members regularly to let you know if they change their address or other contact details. This will help to reduce the risk that an address you have on file for them isn’t the right one.

5. Name your documents clearly and consistently

If you name your documents using the same format every time, it makes it easier to find the right one. It’s also less likely that someone will attach the wrong document to an email.

6. Take care when redacting data

When responding to a request for information, you’ll often need to send people copies of their data. You may need to remove or redact information about other people. When doing this, be thorough and check the information can’t still be seen or recovered.

7. Use blank template documents and store them separately

If you use template documents, make sure you create a new copy of it every time and avoid overwriting a previous document. Blank templates should be stored away from pre-populated ones to avoid someone seeing this information by mistake.

8. Review your access controls

Not everyone needs access to everything, so think about whether you can tighten your access controls so that staff only have access to the personal data they need to carry out their role.

9. Train your staff

Data protection is everyone’s responsibility, so make sure you give your staff and volunteers the training, support and resources they need to get it right.

10. Back up your systems

If you have a back-up of the personal data you hold stored securely off-site, you’ll still be able to access that data even if there’s a break-in, fire or flood at your workplace.

11. Watch out for ex-employees

Staff taking data with them when they leave an organisation is a common type of personal data breach. You can use restrictive covenant clauses in employment contracts to help stop ex-employees from soliciting or dealing with customers whose information they had access to while employed by you.

12. Take care when talking to others

Be careful not to talk about personal matters where you can be overheard, or tell a person something they’re not entitled to know.

Latest updates

08 August 2022

  • We added a sentence and a tip to help businesses remember that personal data breaches are also when data is overheard, accessed or altered without permission.
  • We added a tip to highlight the need for care when redacting data.