If you run a one-person business or a small team, your data protection responsibilities are the same as a large company’s, but you have a fraction of the time and budget to deal with them. This checklist covers the practical steps that actually matter, in the order you should tackle them.

The 10-point data protection checklist for UK SMEs

1. List what data you have

Customer records, supplier records, invoices and bank details, contracts, internal correspondence, files on your laptop, files on your phone, anything in Microsoft 365 or Google Workspace, anything on cloud services like Dropbox or QuickBooks. You cannot protect data you have not catalogued.

2. Identify what would hurt most if lost

For most UK small businesses it is customer records, finance data, and active work-in-progress files. Tier the data so you know what needs the strongest protection.

3. Check your local backups actually work

A USB drive that has not been plugged in for three months is not a backup. Set a calendar reminder once a quarter to test a restore from your local backup. If you cannot recover a single file, the whole backup is suspect.

4. Add an offsite copy

Local backup protects you against a single failed drive. It does not protect you against fire, flood, theft or ransomware that encrypts your local network. Add a UK cloud backup so there is a copy outside your premises. See our UK Cloud Backup for pricing from £14 per TB per month.

5. Back up Microsoft 365 or Google Workspace separately

Microsoft and Google do not protect you against accidental deletion, malicious deletion by a leaver, or ransomware that encrypts cloud files via a sync client. If your email, OneDrive, SharePoint or Teams data matters, back it up with a third-party tool. We cover Microsoft 365 on our Managed Backup Services.

6. Use multi-factor authentication on everything

Email, banking, accounting software, cloud storage. Authenticator app or hardware key, not SMS. The single biggest reduction in account takeover risk you can buy for free.

7. Patch software regularly

Operating system updates, browser updates, accounting software, any line-of-business app. Ransomware almost always enters through unpatched software, not zero-days.

8. Use a password manager

Pick one (1Password, Bitwarden, KeePass) and use unique strong passwords on every account. Memorising passwords does not scale past around five accounts safely.

9. Know your obligations under UK GDPR

If you hold personal data about UK residents, GDPR applies regardless of company size. The ICO has clear guidance for small businesses, including breach notification within 72 hours and the right of erasure. Document your decisions even if you do not have a full policy yet.

10. Write down what you would do if you were breached

Three pages of plain text covering: who notices first, who you call, what you tell customers, how you isolate the affected system, how you restore from backup. Print it. The middle of an incident is the worst time to draft a plan.

Where HA Hosting fits

Items 4 and 5 above are where most small businesses lose data. UK cloud backup gives you the offsite copy. Managed Backup Services covers it end-to-end if you would rather not run the backup tooling yourself: we run the Veeam backups for you, watch every job, and respond when restores are needed. From our ISO 27001 Sheffield data centre, UK-resident and UK-managed.