Last week’s headlines were dominated by the devastating cyber-attacks on Marks and Spencer and the Co-op which caused massive disruption to logistics, data breach and customer data leaving orders incomplete and shelves empty.
While large chains and listed companies are especially rewarding targets for cyber criminals, small businesses are especially at risk because they may be less prepared or less able to deal with such an attack.
Whether you store personal information in filing cabinets, computer hard drives, or cloud platforms, your business must have robust data protection and cyber security measures in place.
Good practice prevents data breaches
Most businesses store data electronically, whether on-site or in the cloud. With that comes the risk of cyber crime. To stay secure you should consider these measures:
i. Limit system access: Only authorised staff should have access to systems or files containing personal data, and access should be revoked promptly when staff leave. Ensure you have a robust password policy. Use individual logins and strong passwords – consider using two-factor authentication.
See Q&A here for more on securing electronic devices.
ii. Encrypt portable devices and data: Encrypting files or full devices (like laptops and USB drives) ensures that even if a device is lost or stolen, the data remains unreadable. This is especially crucial for data in transit.
Make sure you have a robust security policy for your staff devices and accounts, particularly if your staff use their own devices.
For template policies you can use, see our IT, communications and social media policy for a general policy and Bring your own device policy for when staff are working on their own personal devices.
iii. Backup data regularly: Use automated daily backups and store at least one backup copy in a different location (eg a secure cloud service). Make sure you can restore data quickly if needed.
Defending against cyberthreats
i. Keep software and devices up to date: Regular updates and security patches fix known vulnerabilities. Enable automatic updates where possible and uninstall unused software to reduce entry points for attackers. Consider signing your staff up to a fraud alert like Action Fraud to keep up to date with the latest scams.
ii. Install antivirus and enable firewalls: This protects systems from malware, viruses, and ransomware. Always use reputable antivirus software and monitor it regularly.
iii. Train staff to spot threats: Human error is one of the biggest risks. Train employees to recognise phishing emails, avoid suspicious links, and report unusual activity immediately.
See Q&A here for more guidance on defending against cyber attacks.
Outsourcing your storage? What to consider
If you use cloud services or outsource IT to third parties you may need to consider special safeguards to stay on top of your duties to protect personal data.
i. Have a written contract: This is legally required if you share personal data with a service provider. It must clearly state that the provider will only act on your instructions and keep data secure.
ii. Know where your data is stored: Data stored outside the UK must have appropriate safeguards in place. You’re still responsible for compliance, even if a breach happens on the provider’s end.
iii. Insist on encryption and secure access: Encrypt files before uploading them and require two-factor authentication for staff logging in remotely.
iv. Check credentials and certifications: Ensure your provider follows recognised cyber security standards or holds Cyber Essentials certification. This adds peace of mind and reduces risk.
v. Monitor access and log activity: Use tools that allow you to audit who accesses your data and when. This can be essential in spotting suspicious activity early.
See Q&A here and here for a deeper look at cloud security and outsourcing data storage.
Respond effectively
No system is 100% foolproof. If you suspect that personal data has been lost, stolen, or accessed without permission:
i. Identify if a personal data breach occurred: This includes data being accidentally sent to the wrong person, lost devices, or hacking incidents.
ii. Evaluate the risk to individuals: If the breach could result in harm — such as financial loss or identity theft — you must report it to the ICO within 72 hours. Failure to notify may result in a fine.
iii. Inform affected individuals if necessary: If there’s a high risk to people’s rights and freedoms, you must also inform them promptly, so they can take steps to protect themselves.
See Q&A here for full guidance on managing a data breach.
Conclusion
Cybercrime can have serious financial and reputational repercussions for your business, in addition to the distress that a personal data breach can cause for your employees. Stay on top of your business’ duties using our guidance and toolkits, such as our GDPR compliant Data protection policy and Data protection impact assessment policy.
The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.
Rahul joined Sparqa in 2025 from the Commercial Court, where he served as a Judicial Assistant. He has active interests in commercial, corporate and employment developments which he pursues alongside teaching undergraduate law.