Protecting customer data

Data is a valuable corporate resource. Businesses and organisations collect, store, and analyse data to; understand their customers, tailor products to better suit their needs, improve customer experiences and optimise production so they can sell more efficiently.

However, data collection carries a range of potential risks that businesses must plan for, including data breaches.

According to the 2022 Cyber Security Breaches Survey, carried out by the Department for Digital, Culture, Media & Sport, 39% of UK businesses identified a cyber-security breach in the last 12 months.

The most common and most disruptive form of security breach is phishing – employees receiving fraudulent emails or being directed to fraudulent websites.

If a cyber-attack targeting customer data is successful, businesses may lose customers, industry reputation, and brand trust, and could even face fines or penalties by the Information Commissioners Office (ICO).

Data protection law sets out what should be done to make sure everyone’s data is used properly and fairly. In the UK, the General Data Protection Regulation (GDPR) summarises how organisations must process and hold personal data, covering areas such as lawfulness, transparency, fairness, consent, and accountability.

Data protection law applies to all workplaces, business ventures, groups, clubs, and enterprises of any type. Whether you’re a sole trader or self-employed, work for yourself or you’re an owner or director, if you hire only a handful of staff or even if you don’t employ any staff at all – the rules are the same. It makes no difference where the error came from, what matters is that people could be harmed.

8 things for businesses to consider to help prevent data breaches:


Make sure systems are up to date: Apply the latest security updates to all systems, including archive servers, as soon as possible. Outline this in the data security policy and ensure it’s followed.


Don’t keep data for longer than needed: Only keep the personal data you need for as long as you need it – especially if the data is unencrypted, as data subjects can be easily identified if there’s a breach.


Encrypt personal data: Ensure all personal data is encrypted ‘at rest’, i.e. when stored. If there’s a cyber-attack, this lowers the risk to people whose personal data is stolen.


Provide employee training: Increase cyber security awareness throughout the business so that employees become more vigilant and understand how and when to report suspicious activity, and how to handle personal data. IT teams need to understand and carefully apply data security policies.


Check someone’s identity: The inability to trust information supplied to the right person will hinder any organisation’s efforts to service its customers.  But by spending a little extra time successfully checking the claimed identity of a person, a business can be confident that they’re giving the right people the right information.


Avoid releasing data into the wrong hands: Identity checks help to ensure that you’re talking to the person they claim to be, protecting the customer and the business from information falling into the wrong hands. Any phone call should include customer verification questions such as – their name, date of birth and address, including postcode. Sometimes a password attached to an account may also be requested and recorded against the customer’s records for added security.


Introduce a remote working policy and security measures: For those businesses who offer flexible working options, a remote working policy should tell employees how to handle personal data when working elsewhere. Also, ensure you have proper remote-working security measures. Don’t allow access to sensitive data with only a single username and password. If available, use MFA for any remote login, especially if sensitive personal data is involved.


Ensure that security meets industry standards: Review data security practices against industry standards of good practice, including guidance from the National Cyber Security Centre and the ICO itself. If relevant to the business, consider getting certification from the NCSC Cyber Essentials. Your data security should meet or even surpass the basic requirement of the Cyber Essentials if you process personal data that is especially sensitive.

We are here to help

If you are concerned about how this affects you and your business and would like support in assessing your needs, we are here to help. Please do get in touch for confidential advice and guidance.

This article was adapted from an article by Allianz which can be found here.