Essential data protection tips for SME businesses


Read time

Is your data properly protected?

Data breaches – where a company has their data held ransom, leaked, or sold by hackers – are an increasingly lucrative activity for cybercriminals. And businesses are footing the bill. 

According to the Cyber Security Breaches Survey, 32% of UK businesses have suffered a data breach within the last 12 months[1]. With direct response costs averaging £4250, the long-term financial impact can be significant[2]. Perhaps most damagingly, research shows that 41% of customers wouldn’t trust a company with their personal data again following a breach[3].

A steady stream of sensitive information flows through any business that has employees, clients, or customers. For a small business, how you handle this data could be the difference between swimming or sinking.

Here are some essential tips for maintaining an effective data protection strategy.

Check where you stand

Whether you’re an established company or just starting out, having a strong understanding of the data your business handles is crucial.

Personal data is any information that might identify a person, but it’s not always obvious. To gain a clearer picture of the sensitive data you’re processing day to day, you should perform an audit.

Make a list of the different types of personal data you handle, including:

  • Personal details – such as names, addresses, and phone numbers
  • Numbers and codes – this may include customer reference numbers and IP addresses
  • Forms of identification – such as official documents and photographs
  • Reviews and comments – whether glowing or scathing, these interactions can be used as identification.

You should also look at how you’re asking for information. People who give up their data should do so with the benefit of transparency. Ensure your data protection notices explain why you need their data and how it will be used.

Consider why you’re collecting the data

First and foremost, you need to make sure your legal basis for processing other people’s data stands up. There are six lawful reasons for handling someone’s data under GDPR:

  • Entering a contract
  • When you’re given consent
  • To comply with the law
  • Claiming your ‘legitimate interest’, taking full responsibility for how the data is used
  • Protecting a person’s ‘vital interest’, such as their physical or financial health
  • When it’s in the public interest[4].

Decide which reasons are most appropriate for your purposes and keep track of them – this will help you to demonstrate compliance if required. Importantly, if you want to change the basis for holding someone’s information, you must get permission from them first.

You should think critically about what information you truly need. There’s no point in requesting personal data that you’re not going to use. Doing so will only increase the damage a data breach could cause.

Stay on the right side of data protection guidelines

How to manage client data, follow GDPR, and protect your reputation.

Regularly audit your data stores

Most data will lose its value over time. If you’re not careful, personal data that’s no longer needed can become a liability.

At best, out-of-date and inaccurate information is an unnecessary burden on your storage capabilities. At worst, it adds dangerous fuel to the fire in a data breach.

GDPR doesn’t set time limits for storing information. Rather, it’s up to you to justify why you still need it (‘just in case’ it’s useful one day doesn’t count). You should consider whether your stated reason for processing the data still applies. If you can’t justify holding onto it any longer, that’s when you should act.

Your safest option is to simply delete any data you don’t need. Doing so ensures GDPR compliance and prevents the data from being used against you by cybercriminals. Alternatively, you could anonymise the data, allowing you to retain demographic insights without the risk of specific people being identified.

Practice good cyber hygiene

Hackers seeking to steal your business data often take a scattergun approach, hoping to hit you off guard with large numbers of crude cyberattacks. Many of these attempts can be thwarted by following the basics[5].

Cyber hygiene is a collection of strategies designed to keep sensitive data secure. Encompassing a vast array of practices, the extent of your strategy depends on your unique business needs. At a minimum, however, your strategy should include:

Encrypting key data: Sensitive information is scrambled by an algorithm, rendering it unreadable (and, therefore, useless) to an unauthorised user.

Keeping your software updated: Roughly 560,000 new malwares are detected every day[6]. Software providers regularly issue patches and updates to fix known vulnerabilities in their products. It’s best practice to install them as soon as possible to benefit from the latest protection.

Strong password management: Passwords are the key to effective cyber security. They should be at least ten characters long, with a variety of symbols, numbers, and letters[7]. Multi-factor authentication adds an additional layer of protection by requiring users to login with information sent to their personal devices.

Train your people

No matter the sophistication of your security software, it can’t negate the impact of human error.

According to Deloitte, employees falling for phishing attacks is the cause of 91% of data breaches[8]. Unlike cyberattacks which target gaps in software to steal sensitive information, phishing preys on human weaknesses. Therefore, you need to train your staff how to spot phishing attempts and how to handle them safely.

Cyberthreats are constantly evolving. To ensure your employees are suitably armed against the threats, cybersecurity training should be regularly reviewed and reinforced.

Implement device use policies

Remote working has blurred the boundaries between work and home. To keep your data safe, it’s crucial to have ground rules for employees when they’re working away from the office.

Public Wi-Fi networks should be avoided. They’re often unsecured and vulnerable to attack. Hackers can exploit the weakness to install malicious software and steal sensitive information. That means employees should be discouraged from working in public places, such as cafes and trains.

Employees should also keep their work and personal devices as separate as possible. Working on a home computer poses increased risk. Without the antivirus software and firewalls of work devices, personal devices are more vulnerable to malware. Home computers are also often shared with other family members, increasing the risk that sensitive information could accidentally be compromised.

Talk to a professional

Strong cybersecurity is achievable, no matter how small your business.

Cyber insurance provides vital protection against a wide range of cyber risks, helping you to achieve business resilience. Backed by a comprehensive cyber policy, you can mitigate threats in real time and respond quickly to stop an attack in its tracks.

Howden arranges comprehensive cyber solutions, tailored to your unique needs.

We're always here to help

Message us

To get in touch, please fill in the simple form below.

If you are an existing client of one of the businesses that has merged with Howden to form Howden UK & Ireland, please click below for contact details:

Aston Lark

If you are a client of heritage Aston Lark, please get in touch with your usual contact or click here to find your local office.


If you are a client of heritage A-Plan, and are aware of the branch you are insured through, please visit this contact page for branch contact details or if you are unsure or are looking for a new quotation for car, home or van insurance, please call 01993 894 700.

Bruce Stevenson

If you are a client of heritage Bruce Stevenson or are situated in Scotland, please call 0131 553 2293 to speak to a member of Howden Scotland.



Do you have an existing policy with Howden?
Are you a:

Our Website Terms and Conditions and Privacy Notice includes information on the scope of our service and how we will handle your data.

8 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.


If your enquiry is urgent and you can’t find contact details for the specific team or office you need, please call us on 020 7623 3806.


What to do if you are experiencing financial difficulties

We recognise that the current economic conditions are putting pressure on many households and businesses. At Howden, we are committed to finding ways to assist our customers who may require additional support during these times.

If you’re currently facing financial difficulty, please speak to us about your insurance policies by:

-contacting your Howden Service Team
-calling Howden on 020 7623 3806
-using the enquiry form