The ICO exists to empower you through information.

This checklist is for sole traders and other UK small businesses. Use it to check whether you are keeping your personal data secure.

Once you complete the checklist, you get a short report with practical actions you can take and additional guidance to improve your security measures.

If you’re unsure if you need to comply with data protection law, you should take this short quiz first.

More information

By law you must keep personal data secure.

You must put appropriate measures in place to protect it from being lost, accidentally destroyed, altered without proper permission, damaged or disclosed to someone it shouldn’t be.

Having someone in your business to keep your personal data secure saves you time and money, as poor information security can be costly. Consider the financial cost of recovering lost data, the staff time spent fixing a mistake and the reputational damage when customers are put at risk.

More information

There are many different ways to keep personal data secure, and there is no one-size-fits-all solution. What’s appropriate depends on the risk to people if something goes wrong. The bigger the risk, the more you need to do to protect the data.

You should put technical and practical measures in place. More sensitive data, such as health information, needs a higher level of protection.

You should document your security measures in a data protection policy. You should regularly review the policy to ensure it accurately reflects how your business protects personal data.

See our guide on basic personal data security: quick wins for more details.

More information

It’s very common for staff to process personal data on mobile devices or removable media such as USBs, either at home or when on the move.

In these cases you may need extra security measures in place to keep personal data secure. For example:

  • encryption;
  • having a virtual private network (VPN);
  • immediate restricting controls;
  • two-factor authentication; and
  • remote wiping capability.

Our working from home guidance is a good place to start.

More information

It's important everyone understands they have a vital role to play in keeping personal data secure.

It won’t matter what measures your lead person puts in place if the organisation doesn’t use them. For example, having a strong and complex password is pointless if it is shared between users.

Training should include what actions staff need to take to keep personal data secure.

More information

Having a contingency plan to manage serious disruptions, such as major system outages, helps to keep your business running.

It also helps you to identify and protect critical records.

You should keep back-up copies of electronic information and systems.

Make sure you regularly test the back-up and recovery processes to ensure they remain fit for purpose.