The ICO exists to empower you through information.

How to use this report

Please see below for suggested actions and further reading based on your answers to the five questions. You can download this report as a Word document using the button on the top right corner of the page. If you have a problem downloading the report into a Word document please let us know.

Do you have someone in your business who takes the lead for the security of your personal data? - Yes


Having someone to take the lead on your business’ information security should give you confidence that you’re taking good care of the personal data your staff and customers trust you with.

You should support them in their role by regularly reviewing and, where necessary, improving the support and resources available to them. 

Have a plan in place for when this person is unavailable, as some issues can't wait.

If they move on, you need to choose someone to replace them. Train the new person and tell everyone in your business who they are and how to contact them.

Relevant staff should meet with the lead person regularly to review your security measures and discuss any problems they identify. 

Where necessary, you should take action to reduce the risk of poor information security, for example by giving extra training to staff.

Do you have someone in your business who takes the lead for the security of your personal data? - No


The lead person should implement robust measures to protect your personal data.  These should include technical measures, such as:

  • Controlling access, eg:
    • having unique user accounts and strong passwords;
    • changing default passwords; and
    • using encryption to protect emails containing personal data.
  • Preventing unauthorised access, eg:
    • limiting access to personal data to only those who need it;
    • implementing anti-malware and anti-virus software protection;
    • running regular vulnerability scans; and
    • ensuring the vendor still supports your operating systems and software.

Physical security measures you might consider include:

  • restricting access to certain areas of your business;
  • having lockable filing cabinets;
  • using a clear desk policy;
  • having appropriate entry controls, such as door locks, passcodes or alarms;
  • introducing visitor protocols, such as a signing in and out book and escorting visitors when necessary; and
  • using a secure courier when transferring personal data off-site.

Document your security measures as part of your data protection policy. You should regularly review the policy to ensure it accurately reflects how your business protects personal data.

See our guide on 11 practical ways to keep personal data secure for more suggestions.

When staff process personal data away from the office, does the lead person know what extra security measures to consider? - Partially


The lead person should know who processes personal data away from the office and what devices they use. They should keep an up-to-date log of this information.

You may need extra security measures to keep personal data secure.  Consider things like:

  • encryption;
  • having a virtual private network (VPN);
  • immediate restricting controls;
  • two-factor authentication; and
  • remote wiping capability.

Staff should know who to contact if they have any problems, including what to do outside office hours.

Read our working from home guide.

Does everyone in your business know what they need to do to keep personal data secure? - Partially


Make sure your security measures form part of your new starter and refresher training, including what you expect of staff when using your systems. You need to tell them if you plan to monitor their system usage.

Processes, procedures or working instructions you give to staff should include the security measures you expect them to take to keep personal data secure.

Our guide to basic personal data security: quick wins is a good place to start.  

You should encourage everyone to tell the lead person if they spot any problems.

Do you have a contingency plan in place for personal data you hold in key systems, applications and storage facilities? - No


Don’t wait for an incident to happen before creating a contingency plan.

Regularly back-up personal data you hold electronically. It’s good practice to store back-ups in a different location to the original data. This helps you to recover your business in the event of a loss of personal data.

Regularly test back-up and recovery processes to check systems or software remain fit for purpose, should you need them.

Get more information on security here.