This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

ICO issues top five areas for improvement for SMBs

Share this article:

Small and medium-sized businesses should train staff in data protection, use encryption on portable devices and only keep people's information for as long as necessary.

According to the Information Commissioner's Office (ICO) within the top five areas for improvement for small and medium-sized organisations, staff training and communication with customers on their details are the most important areas.

Its top five areas are as follows:

  • Tell people what you are doing with their data. People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
  • Make sure your staff are adequately trained. New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
  • Use strong passwords. There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.
  • Encrypt all portable devices. Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
  • Only keep people's information for as long as necessary. Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.  

The ICO has also recommended charities and third sector organisations do a data protection ‘check-up', as they often handle sensitive information such as individuals' medical details and are potentially more susceptible to encountering a serious data breach.

Louise Byers, head of good practice at the ICO, said: “We are aware that charities are often handling extremely sensitive information relating to the health and wellbeing of vulnerable people. With these organisations often lacking the money to employ dedicated information governance staff, there's a danger that many charities may be struggling to look after people's data.

“A one-day advisory visit from the ICO provides charities with a data protection ‘check-up' and practical advice on how they can look after people's information.  We are now calling on these organisations to use the summer period to check that their data protection practices are adequate and get in touch before it is too late.”

Sam Younger, chief executive of the Charity Commission, said: “Trustees are responsible for ensuring their charity complies with relevant legislation – including the Data Protection Act – and for protecting their charity's reputation. Mishandling sensitive data not only causes individuals serious distress, it can also damage the good name of your charity. So I encourage trustees of charities that handle sensitive data to take note of the ICO's guidance and consider taking part in an ICO advisory visit.”

An ICO advisory visit is offered free of charge to give small and medium-sized organisations the opportunity to discuss and receive practical advice from the ICO aimed at improving their data protection practices.

It said that the visits last one day and each organisation is provided with a short report summarising the ICO's findings and providing practical advice on how they can improve. These can be organised by sending an email to advisory@ico.gsi.gov.uk, with more information available here.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Microsoft warns on yet another zero-day security flaw

Microsoft warns on yet another zero-day security flaw

Microsoft has warned Windows users about a zero-day security issue with malicious PowerPoint documents being emailed to recipients. The software giant is working on a patch for the problem.

Google launches FIDO-compliant 2FA USB key for Chrome and Gmail

Google launches FIDO-compliant 2FA USB key for Chrome ...

Google has souped up its two-factor authentication (2FA) login process with the launch of Security Key, a physical USB that only works after verifying the login site is truly a ...

Evolving TorrentLocker ransomware generating big money

Evolving TorrentLocker ransomware generating big money

The TorrentLocker ransomware has returned with a vengeance and is starting to bring in big money for its operators.