The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

This simple guide has been written to help small organisations improve the security of their data and keep it from getting lost, damaged or stolen.      

The 72 hours following a personal data breach are particularly critical. If you’re dealing with one right now, follow our simple guide on how to respond to a personal data breach.

It might not be possible to prevent every personal data breach, but you can minimise the risk significantly by making sure you and your staff handle people’s personal data with care. You have to do this by law, but it also makes good business sense because a personal data breach can be costly to put right.

We’re here to help. Here are ten simple steps that you can start implementing today to minimise the risk of personal data breaches happening at your small organisation.

1. Store personal data securely

You have to keep personal data safe and make sure no one has access to it without your authorisation. Some simple security measures could include storing paperwork in a locked cabinet and putting strong passwords on all your devices. If you’ve got sensitive personal information, you must take extra steps to protect it from getting lost, damaged or stolen.

2. Have a clear desk policy

Staff shouldn’t store paperwork on their desk or in their workspace, including folders, cards, and post-it notes. Make a policy about this to help minimise the risk of sensitive information being left unattended. 

3. Have a remote working policy

Staff should understand how personal data should be handled if they work off-site. If you use mobile devices, put technical measures in place to secure them, such as two-factor authentication.

4. Keep your address book up-to-date

Ask your customers, clients or members regularly to let you know if they change their address or other contact details. This will help to reduce the risk that an address you have on file for them isn’t the right one.

5. Name your documents clearly and consistently

If you name your documents the same way every time, it makes it easier to find the right one. It’s also less likely that someone will attach the wrong document to an email.

6. Use blank template documents and store them separately

If you use template documents, make sure you create a new copy of it every time and avoid overwriting a previous document. Blank templates should be stored away from pre-populated ones to avoid someone seeing this information by mistake.

7. Review your access controls

Not everyone needs access to everything, so think about whether you can tighten your access controls so that staff only have access to the personal data they need to carry out their role.

8. Train your staff

Data protection is everyone’s responsibility, so make sure you give your staff and volunteers the training, support and resources they need to get it right.

9. Back up your systems

If you have a back-up of the personal data you hold stored securely off-site, you’ll still be able to access that data even if there’s a break-in, fire or flood at your workplace.

10. Watch out for ex-employees

Staff taking data with them when they leave an organisation is a common type of personal data breach. You can use restrictive covenant clauses in employment contracts to help stop ex-employees from soliciting or dealing with customers whose information they had access to while employed by you.