The ICO exists to empower you through information.

How to use this report

Please see below for suggested actions and further reading based on your answers to the five questions. You can download this report as a Word document using the button on the top right corner of the page. If you have an problem downloading the report into a word document please let us know.

Do you have someone in your business who takes the lead for the security of your personal data? - Yes


Having someone to take the lead on your business’ information security should give you confidence that you’re taking good care of the personal data your staff and customers trust you with.

You should support them in their role by regularly reviewing and, where necessary, improving the support and resources available to them. 

Have a plan in place for when this person is unavailable, as some issues can't wait.

If they move on, you need to choose someone to replace them. Train the new person and tell everyone in your business who they are and how to contact them.

Relevant staff should meet with the lead person regularly to review your security measures and discuss any problems they identify. 

Where necessary, you should take action to reduce the risk of poor information security, for example by giving extra training to staff.

Do you have someone in your business who takes the lead for the security of your personal data? - Yes


Having measures in place to keep your personal data secure is a vital step in reducing the risk to people who trust you.

You should document these measures as part of your your data protection policy.  

Regularly review your security  measures and the policy, particularly if:

  • you make changes to your business;
  • a security incident occurs; or
  • if you experience a ‘near miss’.

You should update your security measures when necessary.

Check our guide on 11 practical ways to keep personal data secure for more information and suggestions.

Tell people about any changes as soon as possible.

If people change roles, you should review their access levels, and, if necessary, amend them.

When staff process personal data away from the office, does the lead person know what extra security measures to consider? - Partially


The lead person should know who processes personal data away from the office and what devices they use. They should keep an up-to-date log of this information.

You may need extra security measures to keep personal data secure.  Consider things like:

  • encryption;
  • having a virtual private network (VPN);
  • immediate restricting controls;
  • two-factor authentication; and
  • remote wiping capability.

Staff should know who to contact if they have any problems, including what to do outside office hours.

Read our working from home guide.

Does everyone in your business know what they need to do to keep personal data secure? - Yes


By everyone in your business taking steps to keep personal data secure as part of their day-to-day activities, you are reducing the risk of a personal data breach happening.

Everyone should know what you expect of them when using your systems and you need to tell your staff if you plan to monitor their system usage.

Encourage people to tell the lead person if they spot any problems as soon as possible.

The lead person should regularly assess staff feedback and, where necessary, improve your security measures.

Do you have a contingency plan in place for personal data you hold in key systems, applications and storage facilities? - Yes


Having a contingency plan to recover personal data quickly is vital to maintaining the availability of your personal data.
The lead person should regularly check and, where necessary, update your plan to make sure it remains fit for purpose.

You, or an appropriate person, need to sign off the final document and any amendments.

Make sure everyone knows where to find the plan, what actions to take if serious disruption happens and tell them if it changes.