How UK Companies Can Keep Data Secure
Practical steps and legal obligations for protecting sensitive information
Published 27 February 2026
Most business owners know, at least vaguely, that they have legal obligations around data protection. Fewer know exactly what those obligations look like day-to-day, or what happens when things go wrong. The fines can be eye-watering, we’ll come to those, but the good news is that the steps needed to stay on the right side of the law are neither complicated nor expensive.
What follows is a practical walkthrough: what the law actually says, where the common weak spots are, and what to do about them, covering digital security, physical records, and the human side of things that so often gets overlooked.
What UK Law Requires
Two pieces of legislation do the heavy lifting here: the UK GDPR and the Data Protection Act 2018. Between them, they say that personal data must be handled securely: protected against unauthorised access, accidental loss, destruction, or damage.
That sounds broad, and it is. What it boils down to is that businesses need appropriate technical and organisational measures in place. “Appropriate” is doing a lot of work in that sentence; it means proportionate to the data you hold and the risks you face. A GP surgery holding medical records needs stronger protections than a window cleaning firm with a customer address list, but both have obligations.
There’s also an accountability requirement. It’s not enough to have measures in place; you need to be able to show that you do. Written policies, documented risk assessments, records of training, etc, all matter if the ICO ever comes knocking.
And the penalties? The ICO can fine serious violations up to the higher of £17.5 million or 4% of global annual turnover. That upper limit is rarely reached, but six- and seven-figure fines are no longer unusual.
The Scale of the Problem
43% of UK businesses reported a cyber security breach or attack in 2024–25, according to the government’s Cyber Security Breaches Survey 2025. That’s roughly 718,000 businesses in a single year.
Phishing is still the most common attack method, and AI-powered impersonation is making phishing emails harder to spot than ever. But it isn’t just sophisticated attacks causing problems. The ICO’s own analysis of incidents reported by SMEs keeps pointing to the same culprits: weak passwords, poor system configuration, and plain old human error.
None of this is confined to big corporations. Small firms are targeted precisely because attackers assume, often correctly, that their defences are weaker.
Technical Security: The Basics That Matter Most
The NCSC’s small business security guide is worth reading in full, but the core message is reassuring: a relatively small number of controls, properly applied, will stop the vast majority of common attacks.
Backups
This is the single best insurance policy against ransomware. If your data is backed up regularly, stored separately from your main systems (off-site or in the cloud), and you’ve actually tested that you can restore from those backups, then a ransomware demand loses most of its power. The NCSC puts it bluntly: organisations with reliable backups can’t be blackmailed.
The mistake many businesses make is assuming their backups work without ever checking. Test them.
Patching and Software Updates
Attackers love known vulnerabilities like flaws in software that have already been identified and for which patches already exist. The only reason these attacks still work is that businesses don’t apply the updates quickly enough. NCSC guidance calls patching one of the single most effective things a company can do. Turn on automatic updates wherever you can. It costs nothing and it closes doors that attackers are actively trying to walk through.
Anti-Malware Software
Every machine that connects to your network (desktops, laptops, servers) should be running up-to-date anti-malware software. Most modern operating systems ship with decent built-in protection, but it needs to be switched on and kept current. This isn’t an area where “set and forget” is good enough.
Access Controls and Multi-Factor Authentication
Two principles matter here. First, least privilege: give people access only to the systems and data they actually need for their work. The NCSC recommends that day-to-day work should be done on standard user accounts, not administrator accounts. If a standard account gets compromised, the damage is contained. If an admin account is breached, everything is exposed.
Second, multi-factor authentication. Passwords on their own are not enough any more; they get reused, guessed, phished, and leaked in data breaches. MFA adds a second step (a code on your phone, a hardware key, a biometric check) that makes stolen credentials far less useful to an attacker. The ICO was blunt about this in the 23andMe case: the absence of MFA was a central reason for the fine.
Firewalls
A firewall is a basic barrier between your network and the outside world. Most routers and operating systems have one built in; the NCSC’s advice is simply to make sure it’s turned on. For remote workers connecting over public Wi-Fi, a VPN adds a necessary extra layer.
Cloud Services
If you’re using cloud storage, hosted email, or SaaS tools (and most businesses are!) then the security of those services is part of your responsibility too. The NCSC publishes guidance on securing cloud platforms covering encryption, access controls, and data residency. Don’t assume a cloud provider has you covered by default. Check the settings. Consumer apps like personal Dropbox or Gmail accounts shouldn’t be used for sensitive business data.
Physical Data Security
This is the area that gets forgotten. Businesses invest in firewalls and encryption, then leave filing cabinets unlocked and old hard drives in a skip. The UK GDPR doesn’t distinguish between digital and physical data: all personal data must be protected, regardless of format. Paper records, printed documents, USB sticks, backup tapes, decommissioned laptops: all of it is covered.
The ICO’s guide to data security spells this out clearly: appropriate security measures must extend to the physical environments where data is stored and handled.
Paper Records
Any document containing personal information needs to be stored securely: lockable cabinets, restricted areas, limited access. That applies to client files, employee records, financial paperwork, and anything with names, addresses, or account details on it. When those records reach the end of their life, putting them in the recycling bin isn’t secure disposal. Confidential paperwork must be destroyed in a way that makes it unreadable.
Old IT Equipment
Hard drives, USB sticks, old phones, and retired laptops can hold recoverable data long after anyone last opened a file on them. Deleting files or running a factory reset isn’t enough: the data is often still there, and freely available software can retrieve it. Before any equipment is recycled, donated, or thrown away, the storage media needs to be properly wiped or physically destroyed.
Controlling Physical Access
Who can walk into your office? Who can get into the room where the servers sit, or where the personnel files are kept? Visitor sign-in, locked server rooms, and a clear-desk policy are all part of the “organisational measures” the law expects. They’re cheap to implement and easy to overlook, which is precisely why they come up in ICO investigations.
The Human Factor
You can have the best firewall in the world and it won’t help if someone in accounts clicks a phishing link at 4:55 on a Friday afternoon. People are consistently the weakest point in any security setup, and the ICO’s reports on SME breaches confirm it; human error appears near the top of every list.
Training
Staff training doesn’t need to be elaborate. Short, regular sessions that cover how to recognise a phishing email, what to do with an unexpected attachment, and who to report concerns to will make a tangible difference. The UK government offers free NCSC training modules, including a “Top Tips for Staff” course that takes very little time to complete. The point isn’t to turn everyone into a security expert - it’s to make sure no one is a sitting target.
Written Policies
Even a one-page document that sets out who is responsible for what, how incidents should be reported, and what the rules are around passwords and data handling gives a business something to point to. The ICO’s accountability guidance expects organisations to keep records of their processing activities and security arrangements, and to review them regularly, not just write them once and file them away.
Incident Response
Things will go wrong eventually. The question is whether your business fumbles the response or handles it competently. A basic incident response plans worth having written down before it’s needed: who to contact, how to isolate affected systems, how to assess what’s happened, how to restore services, etc.
Bear in mind the legal deadline: serious personal data breaches must be reported to the ICO within 72 hours. That clock starts ticking as soon as you become aware of the breach, not when you’ve finished investigating it. Having a plan in a drawer is better than scrambling to work out the process in the middle of a crisis.
Cyber Essentials
The Cyber Essentials scheme is a government-backed certification covering five core technical controls: firewalls, secure configuration, access management, malware protection, and patching. It’s not onerous to achieve, and it serves two purposes: it actually improves your security posture, and it gives clients and partners a visible signal that you take data protection seriously. Certified businesses are, according to government data, significantly less likely to suffer common types of breach.
What Happens When It Goes Wrong: Recent ICO Fines
Theory is one thing. These cases show what the consequences look like in practice.
In 2025, the ICO fined 23andMe £2.31 million after attackers used credential stuffing (trying username and password combinations leaked from other breaches) to access accounts containing genetic data belonging to UK users. The investigation found that the company hadn’t required multi-factor authentication and hadn’t done enough to detect or prevent the attack, despite the technique being well-known and foreseeable.
A UK police service was fined £750,000 after a breach exposed the personal details of its entire workforce. Again, the root cause was inadequate security measures, not a sophisticated zero-day exploit, just basic failures in how data was protected and how the organisation responded.
The pattern across ICO enforcement is consistent. The failures that attract fines aren’t obscure or technical. They’re failures to follow published guidance, apply available patches, and implement controls proportionate to the sensitivity of the data. In other words, the basics.
Checklist
| Action | Who’s Responsible | Typical Effort |
|---|---|---|
| Regular off-site or cloud backups (tested) | IT or business owner | Low - automated options available |
| Apply software and firmware updates promptly | IT or all users | Low - enable automatic updates |
| Strong passwords and MFA on all accounts | All staff | Low - one-time setup |
| Anti-malware software on every device | IT or all users | Low - often built in |
| Restrict admin privileges to IT tasks only | IT or management | Low - one-time configuration |
| Lock away physical records; limit access | All staff and management | Low -lockable storage, clear-desk policy |
| Securely destroy paper records and wipe old IT equipment | Office manager or IT | Low to medium - needs a defined process |
| Regular staff awareness training | Management or HR | Medium - short periodic sessions |
| Written incident response plan | Management and IT | Medium - draft, then review annually |
| Cyber Essentials certification | Management and IT | Medium - assessment and any remediation |
In a small business, most of this falls to the owner or a single manager. That’s fine because what matters is that someone owns each item and it gets reviewed, not just ticked off once and forgotten about.
Contact Shredsec to discuss your shredding requirements.