This content was reviewed on 13 Feb 2024.
Being your own boss means you’re responsible for protecting your business against the threat of cyber-attacks and data breaches. With seven million cyber-crimes targeted at small businesses in the UK every year, these incidents can happen to any business, no matter how small. It’s vital to put measures in place to safeguard your business.
Protecting company and customer data is also a legal requirement under the Data Protection Act (2018), which incorporates the UK General Data Protection Regulation (UK GDPR). All data or information that relates to an identifiable individual that your business stores or handles needs to be properly protected, whether it’s staff information or a client’s personal details.
Failing to adequately protect your business can be costly. According to the Cyber Security Breaches Survey 2021, the average cost of a cyber incident for a small business is £8,460, not to mention the potential for fines for non-compliance.
Thankfully, there are measures, policies and processes you can put in place. You’ll note that some of these are legally required and others are highly recommended. Experts from FSB Legal and Business Hub explain what they're used for and why they're so important.
1. Cyber security policy (Recommended)
A cyber security policy provides guidelines for how your online systems and software should be used to minimise risk. It helps everyone in your business to understand the processes you have in place to protect your company, data and assets from cyber criminals or from accidental data loss.
2. UK GDPR data processing agreement (Required)
Before you even consider sharing personal data with third-parties you need to have a lawful basis for doing so, because sharing is a form of processing. You need to be familiar with certain terms, because you will either be one of both of the following:
- Data controller – A controller determines the purposes and means of processing personal data.
- Data processor – A processor is responsible for processing personal data on behalf of a controller.
A data processing agreement is a contract between a data controller and a data processor. For example, your company may be engaging with a third-party who will be processing personal data on behalf of your client. The agreement establishes how the data will be used and why, and it’s required to ensure data protection rules are followed.
3. Privacy notice/policy/statement (Required)
You should always have a privacy notice/policy/statement on, which is a document that sets out why you collect personal data and your legal grounds for processing it etc. This document is essential in order to make sure you are compliant with your data protection obligations as a business. It explains how your business protects personal data and the measures you put in place to comply with data protection laws. It covers areas such as data processing, roles and responsibilities, and contact information.
If you have a website, which most businesses do, this document should be in a prominent position. By doing this you’re being transparent, as the GDPR requires, and you are alerting everyone as to what you intend to do with any personal data you obtain about them.
Even if you do not have a website you still need to have a privacy notice/statement.
4. Data breach policy (Recommended)
You should ideally have a data breach policy so that you know how to deal with any data breaches. Which may occur.. Different breaches need to be notified to different parties (I.e. The ICO, the general public, the individual(s) affected) and within different timescales depending on how serious they are.
The Information Commissioner’s Office (ICO) states that a personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
5. Business password policy (Recommended)
A business password policy is a set of rules that you and your team follow to increase cyber security and reduce the risk of cyber criminals getting access to your systems. The National Cyber Security Centre has further guidance on secure password strategies you can implement.
6. Employee exit checklist (Recommended)
An employee leaving your business, whether for pastures new or due to dismissal, can present cyber security issues, for example preventing unauthorised access when someone no longer works for you. Revoking access to your systems and devices is especially important if the employee was handling sensitive or confidential information.
Find out more about what to do when an employee leaves your business.
7. Cyber security due diligence questionnaire for third parties (Recommended)
Working with external companies? You should be choosing your suppliers with cyber security and data protection in mind.
If you rely on third parties to process your data, such as your suppliers or services providers, then you’re responsible for any personal data that is handled by third parties that contract with you and you should check they have appropriate data protection measures in place.
8. Personal data subject access request response letter (Required)
Under data protection laws, everyone has the right to request a copy of the personal information that a business holds on them. There are strict rules in place for abiding by these requests, which are enforced by the Information Commissioners Office (ICO).
9. Cookie policy (Required)
The data protection rules provide detailed guidance around the requirement and use of cookies on websites. It’s important to understand these. Your responsibility includes telling people that you use cookies, andexplaining what they do and why they are needed. The user/website visitor must actively consent to your use of any cookies, or you should not use them. The rules in this regard are strict, and there can be significant financial consequences including the possibility of fines and civil court action if you get things wrong.
Download your free documents now
FSB members have access to documents, guides and template policies via FSB Legal and Business Hub, covering a variety of data and cyber security matters to help keep your small business secure and compliant.