This article was originally published in February 2020. Since then, the UK left the EU and now operates under the UK GDPR — a retained version of the EU GDPR incorporated into UK law — enforced by the Information Commissioner's Office (ICO). The Data (Use and Access) Act 2025, which came into law on 19 June 2025, has also introduced further changes to the UK data protection framework. The advice in this article has been updated to reflect these changes.
We recently published a guide on what SMEs can do in the event of a GDPR data breach. That post summarised what a UK GDPR breach may consist of, how to report a breach, the potential financial and reputational difficulties, and the processes companies can put in place to identify breaches and minimise their impact. But how can businesses better avoid GDPR breaches in the first place? Prevention is better than cure, after all!
Here are some of the core GDPR data security practices that small businesses can use to better protect their data against UK GDPR breaches:
Keep all the software your company uses regularly updated to ensure you have the latest patches in place. Out of date software can have weak spots and vulnerabilities that hackers can exploit, so regular updates are essential. The good news is that many Software as a Service (SaaS) platforms update automatically, given their web-based nature; this puts less pressure on you to keep everything up to date internally.
Do your staff know what best practice is when it comes to data security and GDPR compliance? As it turns out, all the best tech and processes in the world won’t completely protect you against a breach if the people within your business aren’t aware of the risks. In the case of a malicious data breach, attackers may use social engineering techniques to manipulate someone into giving them access to sensitive information (such as email phishing).
Beyond this, a breach can easily occur due to avoidable mistakes from employees who lack knowledge about data security practices. In both cases, it’s important to provide security awareness training, so staff at all levels of the organisation can identify security risks and avoid creating a breach in the company’s defences – and report breaches or near-misses more effectively if they ever do occur. This way you can build a "human firewall", as our Chief Technology Officer, Kit Barker, discussed after attending a CIPD security workshop.
It's also worth being aware that if a breach does occur, the UK GDPR requires you to report it to the ICO within 72 hours of becoming aware of it, provided it poses a risk to individuals' rights and freedoms. Building staff awareness of what constitutes a reportable breach — and who is responsible for escalating it internally — is therefore a key part of your security training. The ICO has a free self-serve tool to help you check whether a breach needs to be reported at ico.org.uk/for-organisations/report-a-breach.
Review your data security processes regularly, to ensure they remain useful and relevant in the ever-evolving areas of cybersecurity and compliance. Also, make sure the vendors and partners who are external suppliers of software and services to your business have a robust approach to data security too; a data breach on the part of an external supplier can increase the risk of a data breach for you. For a useful example of this, see our post on performing due diligence with HR software providers.
The UK data protection landscape continues to evolve. Since the original EU GDPR was retained into UK law as the UK GDPR, there have been further developments — most notably the Data (Use and Access) Act 2025, which came into force on 19 June 2025 and introduces changes to how personal data can be used and shared. The ICO is currently updating its guidance to reflect this Act.
For SMEs, the ICO provides a dedicated SME web hub with tailored guidance, self-serve tools, and resources — including a breach reporting checker, a privacy notice generator, and e-learning videos. It's a useful first stop for staying on top of your obligations.
Customer data may be your central consideration when it comes to data security and GDPR compliance – but your internal staff data is just as important to keep safe. The UK GDPR does cover staff data, giving employees rights over their personal data that affect how employers can record, keep, and use that data. Employees can make a Subject Access Request (SAR) to find out what data their employer keeps of them, for example.
One of the best solutions for keeping staff data safe and secure is with a reputable HR software system. For instance, myhrtoolkit has a dedicated Security Centre where system administrators can set access levels and minimum password strength requirements. You can read more about our high security standards, including our ISO 27001 certification, on our Security statement page.
Learn more: Password security: policy and best practices for your organisation
In addition to its secure nature, the self-service tools within an online HR system make it much easier for employees to keep their own information up to date, instead of requesting changes from line managers or HR administration staff.
To find out more about how a HR software system can help you keep your staff data secure and in line with GDPR requirements, watch our webinar: How does HR software help SMEs stay GDPR compliant?