IntermediateSmall Business Security

Know what the ICO requires from you if customer data is breached

If your business experiences a data breach — someone's personal data is accessed, lost, or shared without authorisation — you may have legal obligations under UK GDPR.

You must report a breach to the ICO (Information Commissioner's Office) within 72 hours if it is likely to result in a risk to the rights and freedoms of the people whose data was affected. This includes breaches that expose names, contact details, financial data, health data, or anything that could be used against someone.

You must also inform the affected individuals if there is a high risk to them.

The 72-hour clock starts when you become aware of the breach — which is why having a basic response plan matters. Knowing who to call (your IT provider, a solicitor, the ICO) before a crisis happens means you don't lose hours figuring it out under pressure.

The ICO has a self-assessment tool at ico.org.uk to help you decide whether a breach needs reporting. Even if you decide not to report, you should document the breach and your reasoning.

Fines for non-compliance are real and can affect small businesses — the ICO has fined organisations as small as a sole trader.

Tags

ICOGDPRdata breach reportingcomplianceUK GDPR

More in Small Business Security

All guides
beginnerfeatured

Set a rule: always verify payment requests by phone

Business Email Compromise — where criminals impersonate a director, supplier, or client to redirect payments — is one of the most costly frauds affecting small businesses. The defence is simple: a phone verification rule. Implement a policy that any payment request above a set amount (start with £500 or whatever feels right for your business) must be verbally confirmed before processing. The key is to call using a phone number you independently know — not the one in the suspicious email. Use the number from the contact's business card, your records, or their official website. Do not reply to the same email chain. This rule should apply to: - Unexpected payment requests from management or directors - Any supplier asking you to update their bank account details - Solicitors or estate agents sharing bank details for large transfers - Any email claiming urgency around financial matters Fraud at the Bristol marketing agency was only possible because the assistant processed a payment without picking up the phone. A 30-second call would have prevented £13,800 in losses.

See: The CEO Email Scam at a Small Marketing AgencySmall Business Security
beginnerfeatured

Turn on two-factor authentication for your business email today

If there is one security measure every small business should implement before anything else, it is two-factor authentication on business email. Business email accounts are valuable targets because they contain payment instructions, client relationships, supplier details, and confidential records. A compromised business email can be used to commit invoice fraud, impersonate you to clients, access linked accounts, and monitor your communications. For Microsoft 365 (Outlook): Admin centre → Users → Active users → Multi-factor authentication. For Google Workspace (Gmail): Admin console → Security → 2-step verification. If you use a personal Gmail or Outlook account for business, log into your account settings and enable 2-Step Verification right now. When staff have separate business email accounts, ensure all of them have 2FA enabled — a member of staff's account can be just as valuable as the owner's. The pharmacy incident in 2022 began with a single compromised email account that wasn't protected.

See: The Pharmacy Email BreachSmall Business Security