22nd April 2025

GDPR & Cyber Security for SMEs

BlogHR Compliance
GDPR & Cyber Security for SMEs

As businesses continue to navigate their way through the Covid-19 crisis there’s a lot to consider when it comes to GDPR and keeping data secure.

In this blog, we’ll be exploring how you can best protect your data, remain compliant and mitigate cyber threats.

How has GDPR changed in the UK since Brexit?

Cast your mind back to May 2018 – yes, we know that’s a big ask. This was the month GDPR shook the world of business. Back then it was a brand-new regulation intended to strengthen and unify data protection for all individuals within the EU.

There is now a specific domestic data protection regime, known as the ‘UK GDPR’ that works in a UK context. Our obligations to protect the flow of information and secure the processing of personal data remains the same.

It’s time to get proactive about GDPR

Before embarking on a review of your UK GDPR practices, you need to get in the right mindset. Businesses can’t afford to consider data privacy as something that needs to be reacted to when it requires attention. It’s a serious issue that needs you to be proactive.

The risks of cyber attacks for SMEs

Cyber threats to businesses of all sizes and from every sector have increased due to remote working. The fact that sensitive data, applications and devices are being used outside of offices, and possibly being used on untrusted networks and cloud services, should be a cause for concern.

When working from home there is a heightened risk of attack and data theft due to the lack of strong antivirus software, customised firewalls and backup tools that are present within an office environment.

Malware and malicious campaigns to ‘steal’ personal and work-related data can easily target remote workers as the security defences are weaker.

Privacy statements

A Privacy Statement is crucial to demonstrate how you are protecting your business and to assure your customers that you are doing everything you can to keep their data secure while offices are closed. This is paramount to their peace of mind.

Every time an organisation makes a change to the way they handle customer data, the Privacy Statement on their website must be updated. Ideally, you should have communicated any changes to your customers before these changes come into effect.

When the update includes a considerable change to the way data is handled you must send an update notice to all customers. The best method for this is by email – relying on them visiting your website to view the statement isn’t effective. In the email consider including:

  • The effective date of the update.

  • A link to the full policy on your website.

  • Highlight the important changes in a convenient list.

Details of what the customer should do if they don’t accept the changes.

In addition, many businesses use a pop-up feature on their website, so when a customer visits the site, they are given the opportunity to view the updates before entering the site.

It’s key to keep customer confidence levels high in times of uncertainty. Be aware that today's consumers choose who they give their data to. If they don’t feel assured that their data is being kept safe, they won’t provide it or give you their custom.

Remote working and cyber security

Even before the coronavirus crisis we saw an increase in employees requesting to work from home and this escalated post Covid. In light of this, it makes perfect sense to revise your cyber security and privacy policies and include measures for your remote workers. Here’s what you should consider:

  • Ask employees to use strong passwords. Passwords should be unique for every application. Should one account be compromised, the attacker has the opportunity to view the content of every account.

  • If possible, set up a two-step verification. This involves adding an extra stage for added protection: facial recognition, fingerprint or the use of a USB stick.

  • Provide employees with a VPN (Virtual Private Network). This works by providing your employees with a password and an app which connects them securely to a dedicated server which hides their IP address and encrypts all data.

  • Ensure all remote workers set up firewalls to prevent threats entering your organisation’s system. There are some reliable free third-party firewalls available – speak to your IT department and ask for their advice on the best ones to recommend.

  • Ask that everybody installs a robust antivirus software. Just in case a malicious attack gets through a firewall, this extra step makes it more difficult for an unauthorised person to get through this layer of security.

  • Request staff to check the security of their home router. Ask employees to change the router’s password if they didn’t do this when it was initially installed. If the password hasn’t been changed, it is open for attack. In addition, ask them to set the encryption to WPA2 or WPA3 and switch off WPS to ensure the highest level of encryption.

  • Advise that when a device needs updating not to delay. Updates include patches for security vulnerabilities.

  • Request that all data be backed up. Some malwares can wipe entire accounts before they are even detected!

  • Instruct staff NOT to open any emails they are unsure of. Regularly communicate the latest phishing email scams to make employees aware of the risk. Just as importantly, make sure staff know how to report suspected phishing emails.

Protecting your email content 

The use of email as a way of keeping in contact has increased over the past year. While on the whole this has been beneficial, the sharing of sensitive data over email is placing many organisations at risk of cyber attack and data breach.

The email security organisation, Egress, has reported this month that 85% of businesses have suffered an email related breach since the first lockdown in March 2020.

24% of these breaches were caused by human error. Employees admitted to:

  • sharing sensitive information by accident

  • using cc when they meant to use bc

  • replying to all instead of just one individual

  • attaching the wrong file

  • sending message to wrong person

Now is a good time to remind all employees to be vigilant and to take extra care when forwarding sensitive data over email. When communicating this to them, highlight the common errors which will act like a checklist to help eliminate these mistakes and inform them of the consequences of leaked data.

Contact us for help

Please get in touch with us on 0161 941 2426 if you’d like to discuss any issues discussed in this blog. We’re here to help.

Subscribe to our newsletter

For the latest news, offers and events, sign up to our newsletter.

Book a Free HR Advice Call

We’re here to help. Talk to us in confidence about your people challenges and requirements. Click to arrange a complimentary call with one of our HR Consultants.

0161 941 2426 Or