Do I need to do data security as a small business?

Yes. The GDPR requires every organisation processing personal data to take appropriate security measures. What's 'appropriate' depends on the nature and scale of your processing. For a small business, the basic measures are often sufficient.

What are the minimum security measures I should take?

At minimum: strong passwords on all accounts, two-factor authentication where possible, regular software updates, backups of important data, and a basic policy for who has access to what.

Do I need a security audit?

It's not mandatory for most SMEs, but it can be useful. Start with the basic measures first. If you work with sensitive data or are a larger organisation, an audit is recommended.

Data Security - Where to Start? | Practical Step-by-Step Plan

Data security is a core requirement of the GDPR, but where do you begin? This article gives you a practical step-by-step plan to get the security of personal data in your business in order.

Security is not optional, it’s an obligation

The GDPR states in Article 32 that you must take “appropriate technical and organisational measures” to protect personal data. But what is appropriate? And where do you start if you don’t have an IT department?

The good news: for most SMEs, it’s about concrete, achievable steps. You don’t need to build Fort Knox, but you must handle the data you process consciously.

Step 1: Know what you have

Before you can secure anything, you need to know what you have. Make an inventory:

What personal data do you process? Think of customer data, personnel files, supplier data.
Where is that data? On your computer, in the cloud, in paper files, on USB sticks?
Who has access? Which employees, external parties, or tools can access the data?

GDPRWise helps you with this inventory via the three dossiers (customers, personnel, third parties). That’s also your starting point for security.

Step 2: Get the basics right

These measures are relevant for every business, regardless of size or sector:

Passwords and access

Use strong, unique passwords for every account
Enable two-factor authentication (2FA) where possible
Use a password manager so you don’t have to remember them

Software and updates

Keep your operating system and software up to date
Install security updates as soon as possible
Use antivirus software and a firewall

Backups

Make regular backups of your important data
Store backups at a different location than your work computer
Periodically test whether your backups can actually be restored

Physical security

Lock your computer when you leave
Store paper files in lockable cabinets
Be careful with data in public places

Step 3: Determine what’s appropriate for your situation

The GDPR takes a risk-based approach. The more sensitive the data and the larger the scale, the more measures you need.

Low risk (e.g. a small webshop with only customer addresses): basic measures are usually sufficient.

Medium risk (e.g. a business with personnel files and financial data): also consider encryption, formal access management, and an information security policy.

High risk (e.g. a medical practice or law firm): additional measures such as a DPIA, encryption at all levels, and strict access control.

Step 4: Document what you do

It’s not enough to take the measures. You must also be able to demonstrate that you’ve taken them. Document:

Which measures you’ve taken
Why you chose those measures
When you last checked them

Start today

You don’t have to do everything at once. Start with step 1 and work through the list. Every measure you take makes your business safer and your compliance stronger.

auto_awesome Map your security situation

GDPRWise helps you inventory which data you process and which security measures you need.

Start your free scan